@MobilXperts Admin has joined the channel
Anyone dealing with the iOS 10 and MobileIron Tunnel VPN issues? "Known Issue: Inconsistent Per App VPN behavior in iOS 10 when using MobileIron Tunnel"
Anyone getting reports of iOS10 OTA update failing requiring iTunes restore?
https://www.reddit.com/r/apple/comments/52lp8o/ios10_installation_failing/
There are reports of device bricking with the iOS 10 update.
I’m curious to hear what it stems from. I’ve gone through several public beta updates to the GM and it’s been seamless
http://www.macrumors.com/2016/09/13/apple-ios-10-update-issue-fixed/
Anyone come across this little glitch? Seeing something familiar to it, but I think it has more to do with our internal network ACLs than iOS - Waiting for Apple to hopefully do a verbose trace and determine what URLs are failing to connect for the device
@ericwoodland uploaded a file: Pasted image at 2016-09-28, 2:59 PM
@ericwoodland uploaded a file: The device console log I’m seeing is:
Palo Alto. Just finished running a packet capture yesterday from a failing device. I think it's going to come down to 2 things. 1) Cached Internal Apple DNS records 2) Palo Alto denies to certain URLs
@macbentosh I’m back today, if you still need an assist w/ that provisioning profile update
Just happened to see it in my Twitter feed. Welcome!
@Simon Hardy-Bistagne has joined the channel
So how is MobileIron looking to leverage the facial recognition on the iPhone X? I pretty sure every EG member will be asking for the device and having to fall back to using lock screen pins and AppConnect codes instead of relying on fingerprint will be a problem.
Cant’ say anything officially, but here’s a start: http://i.coschedule.com/c00a3
*Thread Reply:* I'm advised integration/APIs are linked to TouchID at the moment. ie. if you disable TouchID, then FaceID is disabled too
I’d imagine it’ll go just like TouchID did. On or Off. If off, revert to PIN/Passcode unlock
@Woody wink-wink. We'll definitely pay attention.
Right on! Of course, no guarantees there will be any mention but it’s a good spot to voice the question!
You’re most welcome, @aaron! Good find.
Curious about iOS 11 and the new Provisional DEP in Configurator 2.5? We’ve been doing research on this, and published on Enterprise iOS. Bottom line: it works, for small batches. http://eios.us/2eY6E83
Hey Aaron. We saw this too but haven't played with it yet. Still waiting for configurator to be released out of beta. Cool feature though.
Hi all. FYI - http://www.brianmadden.com/podcast/Deep-dive-on-iOS-11-in-the-enterprise-BrianMaddencom-Podcast-131
Did everyone remember to update their DEP agreements?
Just got our first batch of iPhone 8's and 8+'s. They show up as iPhone 10,4 in Core. I remember reading something on the support site about this. Any idea when this will be remedied?
iPhone10,4 is Apple’s identifier for these. Any resemblance to an iOS version is coincidental. See more here: http://www.enterpriseios.com/wiki/iOS_Devices
We can check to see when the most recent update went out (and what platform support it included). My guess is that the identifier for the 8/X will be included in the next round, since they’ve been formally introduced.
@onires53 - DPU Pack for iPhone 8, iPhone 8 Plus and Apple TV 4K just went out for Core
@Woody I saw the MI notice this morning and sure enough it is showing up properly our Core. Thanks!
Good deal @onires53! I had been tracking it internally but didn’t want to say anything until it had been formally released
Anyone tried pushing an update to an in-house iOS app via cellular recently?
*Thread Reply:* e.g app v1.0 is installed, v1.1 is added to MDM and update command pushed.
*Thread Reply:* Does the ‘Use Cellular Data’ need to be enabled for v1.1 to be downloaded/installed? ~10MB update in this case.
@Woody uploaded a file: TeamViewer integration for iOS is looking good -
@here anyone know if there’s an MDM command that will allow the Text Size to be changed for supervised devices?
I’m hearing a request for this, for fleet devices assigned to senior employees
*Thread Reply:* Nice! Could it be changed once the device is in the field? I’m not certain it would need to per se, but the client expressed interest in being able to tweak based on who was using the device.
*Thread Reply:* Yes-ish. You’d need to re-image the device. (Which is easy with GC.)
@Martin Cygan uploaded a file: „Official“ numbers from Mixpanel!
@Martin Cygan how many devices are you monitoring? Why is there still a steady number of “older”?
THIS REPORT WAS GENERATED FROM 411,472,653,188 RECORDS
https://mixpanel.com/trends/#report/ios_11/from_date:-41,report_unit:day,to_date:0
Fairly certain my assumption (no) is still correct, but... is it possible to push a provisioning/configuration profile that automatically allows location services and notifications on a DEP device?
I think you are still correct, have not seen any changes recently (iOS 10 or 11) regarding this
Yeah @Jeremy, an in-house app coming down to a DEP device. Customer’s staff keep forgetting to accept upon installation
@Woody Location Services, no. Notifications, yes, using the Managed Notifications Payload. See here: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW604
@Ole Schulenburg has joined the channel
@here Anyone noticed an issue (all the way up through iOS 11.0.3) when you: 1) Enroll in MDM 2) Exchange config pushes 3) Set a mobile Exchange signature in Settings 4) Retire 5) Re-enroll 6) Exchange config pushes and an old signature (pre-dating the one set in step 3) populates?
Not surprising. Signatures are stored in prefs independent from accounts.
I've noticed this across devices and different EMMs, so there's definitely something stuck.
Yeah, I wish the MDM Profile had more control over elements (such as the signatures) that technically fall under its scope
More control would definetly be awesome. Keeping the signature when mail address and server do not change sounds like a good design, as it removes the need for the user to reconfigure everything if the company has to repush the mail profile, foe qhatever reason.
@Fabian I’ve long thought that predefined signature and ability to enable Mail/Contacts/Calendars/Notes should be controlled by the Exchange config. Perhaps we’ll see it in iOS 11.3?
quick question. i am supposed to migrate a VIP to a new iPhone. However the backup was once encrypted and has a apssword on it, that noone knows.
or you can delete the existing backup and start again without password
@Ole Schulenburg https://support.apple.com/en-us/HT205220 “If you can’t remember the password for your encrypted backup”
There is a school of thought that if a user cannot remember their passwords, perhaps they shouldn’t be let loose with a device… 😉
@Ole Schulenburg there is a very well known bug that an encrypted backup doesn’t recognize your correct password. I fell victim to this on my current iPhone 7+ and I know it’s the correct encrypted backup password because it’s the only one I have ever used. The only way to get access to it from a normal approach, meaning no software assisted attempts, is to try every password known to that person in hopes it will work. There are a few lengthy lengthy threads in Apple forums about this and results vary widely in what works. I suggest just manually setting up the new iPhone as painful as that is so that there’s a clean slate to start with, unless you have time and some luck.
@HackediOS see @aaron s respond. since iOS 11 you can reset the password. 🙂
@Ole Schulenburg yes, you can reset the password, but the encrypted backup is unusable, hence why I said what I said if you are trying to still use that encrypted backup. What I should have clarified is pre-iOS 11 because not everyone updates to the newest firmware or wants to.
Hi guys! Is there a known issue with iOS 11.1 and WiFi certificates trust? I’m having a user who reports untrusted radius prompts
Only for the first connection to that WiFi - I think this has been an iOS 10 limitation as well, IIRC.
Drat, forgot to put it into a thread. I expect to be flamed any moment now…
It's fine @Jason, @Woody still appears to be sleeping
I’m just trying to figure out if the issue is that the customer has changed something on their end
*Thread Reply:* According to the MI Community iOS11 Doc there is a known issue suiting your description
They really need a prompt when you send something that ends with a “?” - Would you like to thread this?
Interesting. It appears Apple moved the Server Caching service from the Server app back into the general OS with High Sierra.
*Thread Reply:* @Woody it works REALLY well now, and no longer requires Ethernet. Plus you get tethered networking to usb-connected iOS devices.
*Thread Reply:* Did Caching require ethernet before 5.4? Yeah, I like how essentially any MacOS machine can now be a caching server on your network.
@Woody uploaded a file: Pasted image at 2017-11-16, 1:19 PM
Any idea if there is a restriction available to MDM to gray out the iOS 11 "Apps & Websites Passwords" section under Settings > Acounts & Passwords?
*Thread Reply:* @Jonathan Henson Are you attempting to prevent the user from storing U/P credentials for company sites/services?
*Thread Reply:* Managed Domains may be your best bet.
*Thread Reply:* That are you’re referring to also ties into iCloud Keychain (if enabled). So, perhaps another reason to use Managed Domains
*Thread Reply:* @Woody I'll have to look into managed domains. The iPads are handed to patients to submit online reviews for the facility. Each device has a set of 5 - 7 webclips that point to the various social media review sites for the facility. We want to make sure that John Doe doesn't save his Facebook login, etc on the device. iCloud is disabled on these devices.
*Thread Reply:* Settings > General > Restrictions > Accounts > Don't Allow Changes. (Disallowing changes prevents adding, removing,or modifying accounts in Accounts & Passwords).
*Thread Reply:* lol, that stops you from being able to manually edit accounts (like email accounts) but doesn't grey out apps & website passwords.
*Thread Reply:* @Jonathan Henson assuming the iPads are supervised (they should be) you can add a whitelist of web sites in a config profile. This restricts all other sites. That should do the trick.
*Thread Reply:* (You may also want to look at groundctl.com to easily wipe and reimage devices weekly.)
I Have a customer that has their DEP working but VPP is in the "in review" status.. for a few weeks now. 😕
Apple are quite responsive if the customer places a call to them on this
true. mails and feedback didint work, so a call might.
It’s old fashioned but it has worked a treat in the past.
For example, for DEP: https://support.apple.com/en-gb/HT204142
In this day and age, you’d still think they’d be able to be more responsive via means other than a game of old fashioned telephone
ok looking for some help. We are using Forcepoint and when a mobile device, managed with AirWatch, connects to the corporate network it cannot go to google, yahoo, facebook, twitter etc. those types of https sites. The device is doing its job because Forcepoint is acting like the "man in the middle" but we have forcepoint setup to issue its own certs as a subCA. So the network team and Forcepoint team say as long as the mobile device trusts the Root cert and Forcepoint is using that same Root cert everything should work, but it does not. Anybody else run into this issue?
Hey @runderwood it isn’t as simple as installing the cert onto the iOS device. You need to associate the cert with the wifi profile used to connect to the Forcepoint-protected SSID. That’s a chicken-or-egg problem… how do you get onto the wifi network to get the cert to get onto the wifi network? The solution is typically to use a tethered management tool such as Apple Configurator or #v_groundcontrol to install the profile.
@aaron we use a profile that I created in AirWatch to connect to our corporate wifi. the profile has the certs in it.
*Thread Reply:* So the device is already connected to the SSID and then AirWatch pushes down the profile to connect to the SSID? I’m pretty sure that doesn’t work. You’d need a second SSID to connect to the AIrWatch server.
*Thread Reply:* ok. say the device is newly configured in AirWatch. The device will receive a profile for the corporate SSID. then a user connects to the wifi and tries to go to google.com. Forcepoint (Websense) re encrypts the traffic and then presents it to the device with a cert. So regular cert chain would be Root then Issuing then site. going through forcepoint it goes Root, Issuing, Forcepoint SubCA, then site.
*Thread Reply:* So, if all the above is in place. When the device hits ForcePoint (Websense), does it require the user to authenticate to pass through the proxy out to the site they’re trying to access?
*Thread Reply:* no authentication required. It just re encrypts the traffic and the mobile device does not trust the cert chain. It thinks it is a "man in the middle" attack
*Thread Reply:* Gotcha. Have you tried sending out the cert chain for the ForcePoint directly to the device (as a Certificate configuration), so it’s placed in the Trust Store and inherently trusted by the device?
*Thread Reply:* Hrmm. If the chain is sitting in that store, the device shouldn’t whine about it. Have you installed that chain to a desktop? Curious if the chain checks-out.
*Thread Reply:* of course on the mobile device safari does not prompt you and give you the ability to trust it yourself. With Google Chrome on the ios device I do get the prompt.
*Thread Reply:* If you import the chain to the cert store and check the relationship between the Root/CA/SubCa/Cert, does it find any discrepancy?
*Thread Reply:* cannot I not post a pic in a thread?
*Thread Reply:* the device has all the certs in the cert store
*Thread Reply:* You have to do it in the main channel. IdK why they haven’t added photos inside threads just yet
*Thread Reply:* Got it. I think more of the issue here is that the device may know the identity of the destination site, which results in it believing ForcePoint is a MITM
*Thread Reply:* If it knew only ForcePoint as the responder for that SSL connection, it would have no basis for comparison and trust the connection
*Thread Reply:* Wouldn’t this need to be a proxy, not really MITM?
*Thread Reply:* “Transparent authentication is not supported. The user is always prompted for credentials.” https://www.websense.com/content/support/library/web/v81/wcg_help/auth_mac_idevice.aspx#1138360
*Thread Reply:* (not sure that is your product, but it makes sense to me)
*Thread Reply:* Also curious - What does the vendor have to say about this arrangement? Any suggested means of allowing mobile devices to access secure sites using their product? Surely this isn’t the first time a customer has encountered this.
*Thread Reply:* The vendor really has not said much. They did say that they always see issues with mobile devices lol
*Thread Reply:* Sounds like they’re not really concerned. Not sure they’re going to be a vendor you all will want to be dealing with long-term 🙃
*Thread Reply:* exactly we are always fighting with the network security team about forcepoint.
*Thread Reply:* Perhaps they create a second SSID for Mobile that bypasses ForcePoint? Or enforce restrictions for devices using that SSID, such as a Web Content Filter (Supervised Devices Only)?
Am I right in understanding this as a iOS & captive agent issue?
If so, all you need to do is allow a firewall rule out to the https://captive.apple.com/ site
@Jason if your question was to me then, no it is not captive agent. Forcepoint is websense. it acts like the man in the middle and re encrypts traffic.
@runderwood you are using Chrome. While you installed the root/intermediate certificate chain on the iOS device, you didn’t installed it in the Chrome app. Yes, iOS is a sandboxed OS, installing a certificate at the System level doesn’t allow a third party app to access it and trust it or use it.
Deep packet inspection is basically a bad idea in mobility, this often doesn’t work as only native Safari/Mail apps will accept to trust certificates. Others apps like Skype, Chrome or others will prompt with untrusted very error.
@channel Looks like Apple has a new software license agreements for DEP. Your company’s Program Agent is required to accept the new agreement on deploy.apple.com before using DEP again.
It’s so worth it to break DEP to educate customers about accepting EULA’s
@Russell Mohr uploaded a file: Screen Shot 2017-12-04 at 9.51.19 AM.png
that's my favourite screenshot of the week @Russell Mohr
@Woody I can not get content cache to turn on with my mac mini. Keeps saying currently unavailable.
@aaron what happens to any devices assigned when the agreement was not excepted
@macbentosh devices that are assigned are fine. Devices that are already set up are fine. No effect.
But you likely won’t be able to change the DEP profile for a device, and you won’t be able to assign any new devices.
that’s what I mean. I just agreed to it. What if a device was shipped Saturday.
@macbentosh what version of MacOS are you running?
So, you’re working within the System Prefs --> Content Caching area, but it won’t allow it to enable?
Is that Mac able to determine it’s public IP? That’s honestly the only big dependency I know of that might trip it up.
and working from command line. clearing any cache
I have to play with it more. but it sits there for days like that.
Thinking about throwing it on our non prod network an seeing if it is or effing proxy…Again.
My guess is that the proxy is jacking it up. All it really does is look-up the public IP and tell Apple that it is hosting content caching services for anyone that comes looking for updates from your gateway.
Got a user that is getting asked for their itunes store password every morning since iOS 11.
any idea signed out. rebooted everything i can think of.
It sounds like it is accepting, but discarding the credential every ~24 hours?
if cancelled it doesnt hit again till the am
Is there a need to have an AppleID on the device (aka is VPP in use), or is it BYOD?
VIP person…no device business association but we support them.
I wonder if they may have installed an app under a different AppleID, and this is causing the prompt (e.g. trying to update an app or similar)
There’s an update for the app that was installed under the context of another AppleID
it is just asking for the password for the only logged in appl id
well…Didn’t happen on their 8 started on the restore to the 10
As it’s a VIP, I suggest a full backup and restore to a spare machine.
Good. I would try a restore to a freshly reset device and see if that works.
If so, hand it to them after a day has passed without the prompt.
Or, reset their device and restore the backup again. However, they won’t love you if you just reintroduce the problem again… 🙂
To settle a minor disagreement about VPP, can anyone confirm if there's any difference between the functionality of VPP between DEP/non-DEP devices? That extends to supervision also. Interested primarily in the use of device vs user assignment.
Silent install (managed distribution) for AppleID assignment?
I mention it as a question, because why wouldn’t you move to device-based assignment for most of your apps? (Other than paid for apps, where per-user assignment may be cheaper)
I'm of the opinion (because I'm by no means intimately familiar with it) device-based can be used whether the device is supervised or not.
Perhaps the question is best asked in terms of supervision, rather than DEP, as this is effectively the difference, not the enrolment process in this case.
Oh, that said, just to clarify, you can do a ‘wait-till-everything-is-installed’ before allowing the user access to a fresh DEP-enabled device, which should cut down support calls and reduce any possible user confusion with background installs, etc.
Regarding the VPP licensing there is no difference for device-based between DEP/non-DEP or supervised/non-supervised. On non-supervised devices you just have the requirement that the user needs to confirm every app installation request.
I can confirm what @Tobias said. VPP is orthogonal to DEP.
The intersection point are Apple sales reps who conflate the two.
Which seemingly has resulted in this question @aaron so yeah. Thanks for confirming
Good one @Tobias. I was explaining that yesterday. Small difference in UX with VPP across the two management styles, but noteworthy
If we only knew what orthogonal meant… hawww
Keep in mind that very soon all DEP devices will be supervised. There will no longer be the option for non-supervised DEP enrolled devices. So while you’re contemplating this now, in the near future there will be no option. You may want to consider supervision whether you use the settings specific to supervision or not.
@jafullersr often I see the question in regards to VPP on older, non-DEP devices. If people conflate VPP with DEP, then they think they can’t use VPP with their existing fleet. But that isn’t correct.
Similarly, while DEP implies supervision (at least it will soon), the reverse isn’t true. You can supervise WITHOUT DEP, and still get all the benefits. (I know you know this @jafullersr but sometimes I feel like shouting it anyway.)
@aaron VPP was made available long before DEP. Remember redemption codes? Coupling the two together in the right way will add value, however they can be mutually exclusive.
With DEP you can deploy apps using VPP based on the device (device ID based VPP) it does not require an Apple ID. Without DEP you can not. So there is a difference, but VPP does not require (yet I believe as Apple is mandating DEP and supervision more and more) DEP.
I need to object to this statement as it is incorrect. Device-based VPP can be used for all devices, regardless of DEP enrollment. DEP removes the requirement for the Apple ID on the device at device setup time. Device-based VPP removes the requirement for the Apple ID for app installation. So combining both removes Apple ID requirement for EMM environments altogether. But that does not mean that both technologies cannot be used separately.
Oooh, a rare opportunity to slightly improve an answer from @Tobias! “DEP removes the requirement for the Apple ID on the device at device setup time” — nope, the Apple ID setup screen may be skipped even without DEP.
DEP = Streamlined device setup. VPP = license lots of apps.
Oooh, a rare opportunity to slightly improve an answer from @Tobias and @aaron! “DEP removes the requirement for the Apple ID …” - this is technically a function of supervision, not DEP. The two are often conflated, but it is an important distinction for those who cannot/will not subscribe into DEP, yet can still benefit from this by using Apple Configurator…
I’m expecting @aaron to mention GroundControl at any moment… 😉
This has been a fun and familiar conversation :) So to summarise the UX:
Supervised: silent VPP device based install Non-supervised: user-prompted device based install
IE functionally the same, but the user gets a ping to confirm if supervision isn't present, regardless whether or not they have an iTunes account on the device.
@Preetham Guram has joined the channel
iOS 11 Security Guide - https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Apple at Work - Hrmm, that sounds kind of familiar. https://www.apple.com/business/
It's pretty general terminology. Can't knock them for using work :p
It’ll soon be updated to Apple Enterprise 😆
Believe it or not, it was Apple for Enterprise a while ago. Then Apple for Business (to broaden the view), now Apple for Work. 🤷
Haha - I do recall the mention of Enterprise awhile back. ¯_(ツ)_/¯
Folks, anyone else having issues with sent items not replicating to iPhoens running the latest iOS?
hmmm, thanks .... seems to be an interesting one...
I do notice, myself, that some emails do not get pushed with iOS 11.2. This happens every couple of days. Seems to be related to network changes (wifi vs. 4g). Also, mail seems to display the "downloading" status on the bottom a lot more.
looks like a bug in office 365 that MS pushed last week. EX127850 - iOS Devices issue with Exchange ActiveSync
Yes indeed on Office365. If I google EX127850, I don't find anything related though. Where is your info from?
you wont see it unless you log into your admin portal to see the advisories.
Weird, checked the Service health going back 30 days but can't find it. Not in the message center either. Anyway, do not have the issue with Sent items. It is persistent and for more than one user?
yes, also effecting contact sync as well. seems MS know about the issue and are patching their servers at the moment
essentially end users are seeing sync of sent items stop, and contact sync stop. only effects iOS users
https://9to5mac.com/2018/01/23/ios-11-2-5/
iOS 11.3 will have a enforcedSoftwareUpdateDelay restriction payload, just like MacOS: Supervised only. This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date.
The max is 90 days and the default value is 30.
Availability: Available only in iOS 11.3 and later and macOS 10.13.4 and later.
Curious: Has anyone ever needed to shift devices between DEP Account A and DEP Account B (both accounts owned by the same parent company)?
I’d like to know if Apple has a standard process in place for this request, or if it would need to be something submitted by their account rep
Not myself. Though interested to hear if anyone has. My expectation is that you'd have to get Apple involved as once you release a device from a DEP account you can't register it again.
The DEP support team are actually pretty helpful for an Apple support team.
What's the business case for doing this? It would be simpler to keep the old DEP account and have it route to the same EMM instance as the new/other one.
Yeah, I was hoping there wouldn’t need to be a “Disown” action as part of the exercise. More a transfer behind the scenes
It’s a company who is splitting-off one of their entities to a new and totally separate line of business
yeah that's a good business case. there's a lot that apple need to clean up about the dep portal and it's processes.
Changing the Agent account Deleting an admin account Only allowing a single Agent account
Forcing a "real person" as the agent as opposed to a generic email
Well.... it's still light years ahead of android zero touch 😉
A call to the dep support should clear things up... let me know how you go as it's an interesting question
*Thread Reply:* Ah yeah, because having a central portal you can add and remove resellers from at will is proper stoneage 😛
*Thread Reply:* There ae only 2 of them!! lmao I'm gagging to try it... trying to get AT&T to get access for me at the mo.
Disown, configurator add to other DEP account if you're in a pinch
*Thread Reply:* Agree. I’ve done this and it will work.
Encrypted email reading in native iOS mail with Office 365
DONT ENABLE IT!! Well... not yet!
So... MS released a "new" feature a few months back called server side decryption that allows encrypted emails to be read on mobile devices (and by external recipients outside of the org) in a safe and secure way. It needs either an RMS enlightened email client (outlook on desktop, on mobile using outlook mobile, or the samsung native mail client) or a webmail client like outlook, gmail, yahoo etc.
That all works great.
There is however a function that enables iOS devices to be able to read and reply to these mails within the native client... the difference being that the client won't recognise the RMS rights attached to the mail. This isn't a security issue a the email server will still recognise the rights, but you don't get the same mail client warning of the rights.
It's this function YOU MUST NOT YET ENABLE... If you do... it will take down you're entire iOS estate stopping the devices syncing their contacts, and their sent items....
MS are patching their all o365 servers, but it's going to take a few weeks.
Yeah - These will be devices that are in the field, so Configurator most likely won’t come into play @Jason Bayton
Hi everyone, do you know an app / software that can report on the resources used by installed apps on iOS ?
This is for an in-house app, as part of the QA process. Just curious about whether such a solution exists.
InstalledApplicationList command will return the BundleSize and DynamicSize (The size of the app’s document, library, and other folders, in bytes.)
*Thread Reply:* Thank you, do you know which MDM solution on the market has this ability? (displays those details on their console).
Any idea on how to get an AppConfig XML schema file for Outlook uploaded to the AppConfig repository (http://d2e3kgnhdeg083.cloudfront.net)? As Microsoft is no AppConfig member I strongly assume they will not provide it on their own. Will AppConfig accept specfiles for apps of non-members? Configuring the Outlook app through MDM will be a huge customer demand.
@Jason Bayton had reached out to his contact @ VMW regarding changing AFW to AE, because they apparently own the site. Perhaps he can get in touch with the owner of the content as well.
The question is, if AW is also responsible for uploading stuff to the repo. I know the repo itself is hosted/operated by MI but do not know, who the contact is for uploading files to it.
@Tobias making “some” progress- hold tight
well, it's not urgent, more on the "nice to have" side of things, thx for chasing
@Russell Mohr uploaded a file: Screen Shot 2018-02-07 at 11.03.41 PM.png
@Tobias is this visible on your cluster too? I wonder if you see the appconfig configurations on yours…
Also, in Core 9.7, we will be able to add KVP’s for apps with the InTune SDK
Yeah it works @Russell Mohr. Tested it when they launched.
*Thread Reply:* "For generic Android, we may also see a future capability for devices that run Android enterprise (formerly Android for Work) before long."
It's already possible to defer AE updates using any half-decent EMM 😛
*Thread Reply:* Coming soon!
@Russell Mohr yeah, the AppConfig is now available on our (and probably any AppConfig supporting) EMM platform. Unfortunately it seems the file I uploaded her contains unnecessary whitespace in one of the keys ("com.microsoft.outlook.EmailProfile.EmailAddress "). This may render the config incorrect. At least I was not able to configure Outlook for iOS using it.
But I don’t know if it will work. The config is intended for the InTune MAM SDK
As-in the Horizon client, @macbentosh? We did it at Kindred for a couple projects.
how do you set the server to connect to with a config profile and not a URI
@macbentosh does this help? https://docs.vmware.com/en/VMware-Horizon-Client-for-iOS/4.5/com.vmware.horizon.ios-client-45-doc/GUID-FA0D1218-E28F-4CB5-8126-33011483E54F.html
(It’s a bit AirWatch focused, but it really describes AppConfig that can be used with whatever MDM)
wonder how to translate that to be used in MI
It’s JSON within XML, which is really weird. Are you OK editing the JSON to match your environment?
title it com.vmware.viewclient.plist and point it to the bundle id?
[Disclaimer: I’ve never configured Horizon. I’m doing this based on an understanding of AppConfig.]
It states "When you create an app configuration policy in the Azure Portal or through your MDM provider, you will need the following key value pairs". So I assumed it to be default iOS managed app configuration. Today I just created a normal plist file with the described key-value pairs to configure the iOS Outlook app. But this did not work either. But now I don't know if this is because it's just not working as I expect or if there is a conflict between my plist managed app config and the configuration retrieved from the AppConfig repo.
This is the plist XML I created based on the Microsoft Technet article. And on that article I also created the AppConfig schema file.
@Jason Bayton it was more of a how to do that without switching to AW
@macbentosh Horizon supports SSO. So if you have identity management in place maybe there is a way. But that is beyond my skills.
*Thread Reply:* I know a guy who has the hookup on identity management, if you guys are heading that direction 😁
Man i wish MI had exclusions….Everyone in this label but not these three
It does via the label itself.. I exclude devices and users with custom attributes normally but it's pretty flexible. It just means creating a separate label is all.
sadly it’s for our app store label. A change would then repush the webclip to all
Perhaps then edit the label itself with the new criteria? Untested approach in my side but should work
@macbentosh like @Jason Bayton said, you can tweak the criteria for a filter label and it will just push/remove the associated configs to devices that are added/removed to the label.
You can also create a new label, compare the difference in device count between old/new and (if you like) begin using the new label for distribution. Basically a seamless migration from Label A to Label B.
That's one of those things I've not tried on a live environment @Woody adding one label and removing another without discuption. Sounds like it should work though.
and since i didnt start my mi server….The label is…..IOS!!!
Yeah, it’ll work (now). Didn’t used to work so well back in the early Core days. Labels A/B are created and include same (or similar) devices. Configs are bound to Label A and Label B simultaneously, then removed from Label A.
Yeah, but you can transition from iOS to “iOS-All” or whatever you make to bust away from the system labels
Adding label, the removing definitely works without repush, we even use this for high impact profiles like Exchange. I think it was Core 4 where each label modification led to a full profile push for all devices, long long time ago 🙂
Well the pain is still very much felt I'm sure Tobias :p
Has anyone ever seen an iOS widget (also called a "Today extension") used in conjunction with per-app VPN? A customer reports that the app itself uses the per-app VPN just fine but the widget contained in the app does not. The app developer described to me that a widget is contained in the apps .ipa but has in fact a completely separate bundle identifier. This would explain the issue as the per-app VPN profile is an assignment of bundle ID to VPN profile and the widgets bundle ID is different. Is there any way to configure this (with MobileIron in our case) or is it an iOS limitation?
That’s a good question @Tobias. I do recall when working in XCode recently (for an AppleTV app) that the items such as Top Shelf (for the app to display updates on the “top shelf”) did have a separate bundle ID. So, I’d guess that holds true to the widget on iOS. My guess is that the functionality you need (in order to manage/per-app VPN the widget) does not yet exist
well got vmware with a config profile. Anyone done it for citrix?
Nice. Not familiar with the citrix interface but I’d imagine it will either be upload the XML or use their GUI to port-in the KVPs
Realistically all they are doing is transporting the XML to the device to install, so they can’t really do a whole lot different than other vendors
Hey All. I’ve just set up single sign on for native Office 365 apps on iPhone. So far so good. Now I just need to type the Office username into one of the office apps, and badabing, no password, everything works. However to reach my goal — zero touch — I need to push the Office username too, via MDM. I’ve searched for an AppConfig key for that...no luck. O Great MobilXPerts is there such a key?
com.microsoft.outlook.EmailProfile.EmailAccountName = {EmailAddress} com.microsoft.outlook.EmailProfile.EmailAddress = {EmailAddress} com.microsoft.outlook.EmailProfile.EmailUPN = {EmailUserName} com.microsoft.outlook.EmailProfile.ServerAuthentication = 'Username and Password' com.microsoft.outlook.EmailProfile.ServerHostName = outlook.office365.com
those are the keys for outlook, not sure if they will map into the other office apps
im not aware of MS releasing any appconfig keys for the other office apps but i may be wrong.
Tbh I think if they had we would all know about it based on the amount of noise made about the outlook app
Since the Office apps share credentials, maybe configuring Outlook would configure them all?
thats my thinking.
only thing to be aware of, is when you grant access to the outlook app via azure conditional accesses, there's no granularity of device posture recognition. users will be able to install outlook on any mobile device and use it not just a corp managed device.
Youll either need to use some kind of federated 2fa infront, or use cert auth.
Yes this workspace one. But really it simply a demo.
I can’t test this right now but can anyone confirm if pushing a self-signed cert to an iOS device will remove SSL errors in Safari when browsing to the associated website?
IIRC @Amine since the identity is then installed to the store/trusted, the error in Safari should be suppressed.
@Amine You may need the certificate chain for the trust issues to be mitigated. It’s not always the specific SSL cert, it’s often that the root or intermediates are unknown.
Whow... So here's a fun one for you...
I've just had a handset vendor ask me for our EMM platform tokens so they can setup a DEP portal they control and add our EMM platforms to it, rather than adding the devices to our DEP portal.
Their justification is that as they're leased devices they aren't allowed to add them to our portal.
A) That's sketch AF B) The DEP vendor has the power to remove devices they have added to any customer portal C) I lease devices from Apple today who add them to our portal
(And yes, everyone else processes this in the proper manner, i.e. linking them to your DEP account)
Whoa - I’m curious what Apple would have to say about that…
Wont name names on here, but they're big enough that they should know better.
I passed their request by our Apple rep and he's confirmed that this is a breach of their T&C's. Confirming that devices should be in use by the employees of the company in control of the DEP portal for many reasons, not least that you're accepting terms and conditions between the device user/operator and apple, which a 3rd party can't legally do.
anyone heard of an issue where a users iOS calendar events goes missing after they change timezones only to return an hour or so later?
*Thread Reply:* I saw this few times with Exchange 2013 and iOS 10+. As far as I can remember, the workaround was to disable Local Time Zone from the Calendar settings.
@Simon Hardy-Bistagne Isn’t that the point of the option to disown in DEP? Once the device is out of your lease terms, the company will disown the device and allow it to go back to the vendor. Terrible approach by the handset vendor.
Deploying iOS Wallpapers... Anyone aware of how we can do this well? AirWatch simply does it based on 1 Wallpaper per Org Group, and when i have multiple different screen sizes in there it doesn't work well when rendering.
Screen size isn’t always the issue. There are some iPhones now that have a higher pixel count than some of the older iPads. We go with a high-res image for the iPad standard and it seems to work for iPad and iPhone.
Just in case anyone’s missed it, perhaps worth mentioning that iOS 11.3 is now out and features battery health check?
(New version of High Sierra macOS as well, includes Business Chat in (i)Messages)
I had seen that 11.3 went live. Looking forward to cloud-based iMessage!
*Thread Reply:* It’s not in 11.3 but in 11.4 Beta 1 🙂
*Thread Reply:* Ah, WTH! I wondered why there wasn’t any mention of it in the release notes. I thought it was a certainty in 11.3
*Thread Reply:* Well for now it’s a certainty in iOS Betas :)
Business chat makes sense too - Back when I owned/operated Entertainment Essentials (DJ Company) we had a dedicated iMessage account specifically to chat with customers. Nice to see a native function coming like that to iMessage.
Yeah, not quite - still requires integration at the back end. Been looking into this and the supported integrations are few and far between. SFDC being the more obvious one, but LivePerson and Genesys also on the list.
I think it's still in beta isn't it? Only supporting a couple of us companies?
I'm sure it won't be long before remedy and service now are on there
You can apply, either as a potential business or as an API-integration partner.
Note that the service is not available outside of the US as yet.
Has anyone been able to verify if the new killer features have found their way into the public release of 11.3? (delay updates and prevent managed contacts)
*Thread Reply:* Managed contact topic is in 11.3 and it’s working
*Thread Reply:* Cool 👍:skintone2: How did you test it?
*Thread Reply:* I tested it with WhatsApp unmanaged vs managing it afterwards
*Thread Reply:* ok but is there no setting you have to push out via MDM for that to work? Simply deploy an Exchange profile via MDM and if WhatsApp is not managed the access for Exchange contacts is blocked by default?
*Thread Reply:* Managed Contact (as-in keeping your managed contacts from leaking into unmanaged apps)?
*Thread Reply:* In MobileIron there is a setting in iOS restrictions where you can allow/disallow data exchange between managed and unmanned content. If you restrict unmanaged access to managed data. Access is denied.
*Thread Reply:* Do you mean: „Allow documents from managed apps to unmanaged apps“ - I thought this is only to restrict Open-In, not the access of the managed contacts for unmanaged apps.
*Thread Reply:* Ok well then its not really working. Deactivated both options in the restrictions, but contacts are still visible in WhatsApp. And WhatsApp is not managed!
*Thread Reply:* Ok tried it again with a fresh device, no chance. I think we are talking about different things. I am deploying an Exchange config into the native mail app on iOS and due to the iOS release notes it can be possible to prevent WhatsApp from accessing the contacts from the native mail client. I believe you are talking about AppConnect Apps like Email+, not the native client.
*Thread Reply:* From my testing WhatsApp worked. Are you sure you applied the Allow managed to unmanaged restriction? I’ve heard that iMessage is considered as unmanaged app... any clue or info?
*Thread Reply:* I applied an standard MobileIron iOS restriction (Core 9.6.0.2) with the setting „Allow documents from managed apps to unmanaged apps“ unchecked. No idea if iMessage is considered unmanaged.
*Thread Reply:* I am talking about native iOS apps for contacts, mail, calendar etc. I also push an exchange confit to the device. Message app is something like hybrid. If I use the plus button in the to field, I get only access to unmanaged contacts. If I type the name directly in the to field it provide matches also from managed contacts.
Do you provide more then one iOS Restriction configuration to the device? As far as I know it must be only one.
*Thread Reply:* I have both options about managed to unmanaged and unmanaged to managed disabled
*Thread Reply:* Solved it - that was more than strange. Complete device issue that I have never seen before! Downgraded the iPhone 5s from 11.3 to 11.2.6 and upgraded back to 11.3 - all via iTunes. After that, everything worked like you described! 🤔
*Thread Reply:* @NicolasR you are right, it seems that the message app is considered unmanaged. This is not ideal an could be a dealbreaker for a lot of deployments. Is this known to anyone else?
*Thread Reply:* Found the workaround for the message app problem - you are able to send a message to managed contacts from within the contacts app.
*Thread Reply:* Or type the name of a managed contact in the receiver field of the message app. You will get an overview of all contacts (managed and unmanaged) that mach to the name you typed.
*Thread Reply:* So what is not available from iMessage app?
*Thread Reply:* Deferred updates made it in, and works.
Anyone ever had much luck with shared mailboxes on mobile?
I don't want shared credentials....
Downside is that you can’t have two mailboxes going to the same URL in iOS. So you have to get creative on what URL to send that second mailbox to.
Now, if it’s just a singular shared mailbox on one device… you’ll have no issues
In terms of the credential for the mailbox… you create a SCEP config with the UPN hard-coded. Then tie that to the Exchange configuration and send out…
*Thread Reply:* Yes I think this will work, I was hoping to get something a bit more Accountable to the user, but I think that's just the limitations we have to work with. We also have the volume limit this way with it being a max of 100 devices connected in this way
*Thread Reply:* Yeah, it’s not pretty but it does do the trick
*Thread Reply:* It’s better than AAs running around with their Executive’s mailbox loaded to their personal phone (unmanaged)
*Thread Reply:* Yeah Rob, it’s just a cert/Exchange profile being sent down. Supported from a technology perspective, anyways.
@Simon Elberts - FONDO. has joined the channel
Went back to iOS managed app configuration for Outlook. Core 9.7 allows to override managed app config pulled from appconfig.org with a .plist file so I did just that as the XML on appconfig.org still includes the typo I initially created. Result: Creating an Exchange account pointing to a MobileIron Sentry works, but when the mail address is an actual O365 user, Outlook detects that and just transforms the account into a direct O365 connection with modern auth. Interesting detail. @Russell Mohr how can we fix the XML at the appconfig.org repository?
@Tobias could this “detail” be used to automatically configure O365 with modern auth then?
Because I thought the Outlook AppConfig was only for legacy auth. This discovery could be quite big.
On that note - Does Core now search for and pull managed configuration configurations from AppConfig.org?
I noticed it populated a Managed App Config Key/Value pair field for Mobile@Work, but not for a couple others I imported
As far as I know Core pulls every managed app config from the appconfig.org repo if the bundle ID matches. The Salesforce App for example has one. You can verify if a config exists by checking the URL https://d2e3kgnhdeg083.cloudfront.net/<app-buindle-id>/current/appconfig.xml Do you have an example for an app where it does not work?
@aaron Well, it allows to configure the mail address/user ID. The account showed up as "Exchange" account in Outlook. After entering the user's password he suddenly was redirected to our ADFS and after authenticating there the "Exchange" account was gone and only an "O365" account remained. I do not think that this is a good user experience. Will test tomorrow with a setup to directly configure O365.
In our case we have SSO using SAML and Workspace One. So if there is a way to assign the mail address/user ID, then the rest could be automatic… Fingers crossed.
@aaron I’m very interested in your results. 🙂
@Tobias no luck here yet. But I just noticed that you were entering the user password first, then it redirected you? Well that’s no SSO….
@Tobias can you send me the full corrected version? I’m told there are also some supplemental parameters coming from another source at Mobileiron. Where was the exact error again?
@Russell Mohr there seems to be an extra space in one of the parameters… ><string keyName=“com.microsoft.outlook.EmailProfile.EmailAddress “>
Thanks @aaron. @Tobias if you can still email over full “golden” XML file it will make life easier for a certain person named Russ
@Russell Mohr you've got 📧
I’ll follow up when I have some news. Thanks @Tobias
Today I configured an "Exchange" account to the iOS Outlook app using "outlook.office365.com" as server name. The behavior is the same as before. You need to enter a password (cannot be set through AppConfig) which is completely ignored as soon as Outlook detects the mail address as being O365 hosted. It switches to modern auth and redirects to the IdP (here ADFS).
So preconfiguring Outlook for iOS with managed app config is really just for on-prem Exchange (as the MS article states).
Just ran through this and you’re correct. Outlook is pushing us through modern auth and our own IdP. We have a CASB, but I can’t tell if it’s still in use with this pattern. I’m hoping to drill into this too.
Hello, does anyone have a good, clear approach to pre-loading videos onto devices en masse?
@Tobias @aaron corrected Outlook appconfig app queued up for deployment. I’ll let you know when it goes live. Thanks for testing and confirming the MS docs are correct (on prem Exchange only)
@aaron you would probably know best around @jafullersr’s question on preloading content…
@jafullersr sure thing. Ping me if you have a chance.
Apple stopped signing iOS 11.3, so only iOS 11.3.1 can be installed. Except I thought MDM’s can target specific iOS version to install within a 90-day window. How’s that going to work now? 😕
*Thread Reply:* Not target a specific iOS version, but delay the installed version which does need to be signed!
I’d suppose this is kind of a unique scenario, but does kind of make you wonder what they will do going forward.
Apple’s MDM Protocol Reference includes this new web service to identify which iOS versions are available. But it hasn’t been updated in weeks. It shows 11.3, but not 11.3.1. Obviously wrong. No wonder the MDMs aren’t really supporting 11.3 yet.
A file, which can't be shown because your team is past the free storage limit, was commented on.
Fun fact. Apple DEP fails to authenticate if your user password has a special "non English" character in it... We've had it with Norwegian charactors. This week.
*Thread Reply:* Thanks @Simon Hardy-Bistagne. Didnt realize this.
*Thread Reply:* Been raised as a big to apple. Will see what happens.
Folks I have a strange one for you.
We have a user who's calendar dissapaears when they've landed from a flight that's passed into a new timezone.
Their calendar comes back and hour or so later but everything we've done doesn't seem to resolve, even down to refreshing the phone.
Has anyone seen activity like this before?
*Thread Reply:* Can you provide a bit more detail on the device, OS, timezone (from/to) and calendar backend platform? I haven’t heard of this, but it is intriguing.
*Thread Reply:* So, iPhone (follows her from iPhone 7, through to now her X).
Native iOS mail client.
Backend is Office 365, and device is 11.3 and 11.2
Doesn't effect her iPad.
Timezone change is any to any.
*Thread Reply:* Wow, that is odd. Do you have access to O365 tenant settings?
*Thread Reply:* Sure do.
Can't see anything out of the norm on her end.
*Thread Reply:* Origionally thought it was a corrupt calendar, as it followed her to new devices but she always did a device restore to set the new one up.
But set her a fresh device up, no restore, and when she landed lately, it worked fine... until she connected to wifi and the calendar wiped.
*Thread Reply:* Yeah... it’s a mind bender... that’s for sure
*Thread Reply:* I can’t find anything that would be the cause for this sort of thing. Worst case, recreate the mailbox?
*Thread Reply:* I think we've found the issue...
Seems this exec has been entirely disabling location services on her device. I think this has been playing games with the timezone changes and potentially the agent compliance checks.
Strange it's only effecting the calendar and not other items, but enabling location setting seems to have resolved for the moment.
@here Google have asked me to put together battlecards to provide to partners as part of their increasing focus on enabling Android in the enterprise. I'm looking for assistance/volunteers to help me out on the iOS side please. Focusing on: management, security, flexibility and more (for DEP there's zero-touch, for VPP there's BPP, for work profile there's managed apps, etc.)
*Thread Reply:* I can reasonably tackle the Android enterprise side of this, but I want to remain objective and obviously I have a natural bias, as would those focusing primarily on iOS.
When Google mentioned it going to partners (EMMs, ISVs, etc) I thought this would be a great opportunity to 1) provide a factual comparison and 2) highlight the level(ish) playing ground both OS' are fighting on.
If anyone would like to get involved I'll share more details 🙂 I want to turn this around quite quickly. No financials involved, I volunteered to help the ecosystem as I've done with the rest of my docs.
*Thread Reply:* Perfect, I'll get what I've got so far "shareable" and ping you.
*Thread Reply:* I worked on something similar while at Apple for education space during Apple School Manager days. If there is something I can do to help. I would love to.
Apple System Status shows VPP issues since yesterday. Is anyone having problems?
Love their verbosity in the description of the issue. Good luck users, whoever you are. It might work. Then again, it may not 🤖
I dont think anyone has ever accused apple of being overly transparent!
I hate when customers take bad decisions... One of them decided to remove the iOS managed apps restrictions for documents open-in since iOS 11.3 adds the contacts to this restriction.
Users won because they want to access to Corp contacts in WhatsApp
Just opened a radar to ask Apple to create separate restriction for contacts and documents. 4179277
Sounds like shadow IT is taking over on that front. Perhaps the customer should consider providing a decent communication suite.
They have “allowed” officially users to use Signal... (whisper systems)
I‘ld prefer Apple to also provide restrictions for unmanaged Calendar access. Calendars contain much more confidential information than contacts...
Does your customer know GDPR? ;-) That might be an expensive risk to take :)
I know... we already communicated about GDPR!... that’s completely a non sense...
Gdpr??
What's that... Never heard of it....
They could make WhatsApp managed and setup a data privacy contract with Facebook. I dont know whether someone ever tried that :D
So, iOS 11.4 has dropped.
Always fun to watch the uptake as it goes across the estate!
I went ahead and updated - Wanted to see how Messages in the Cloud would play out.
Did any of you try stereo with two HomePods with AirPlay 2?
(24 users still on 7.1 but we dont talk about those)
7.1 - Wow. Those people who just don’t leave the stone age…
@Preetham Guram I’m actually more pumped about being able to use AirPlay 2 with my Sonos units in the house.
Right. I forgot about that. Do share your experience.
They’ve been doing their homework with the betas, as they announced that Sonos One, Play:5 and Playbase would all be compatible. I’ll keep you posted
The cool part is that you can AirPlay 2 to any of those units, then group legacy speakers to play through them as well.
Yeah... i've been sending out threatening emails lately as they'll be coming off the platform in a few weeks.
I have people on 8.x who's devices support 11.4.... no excuses so i'll be getting the stick out soon.
Boo, Giphy doesn’t have much in terms of “Beat into Compliance”
Hello @here did you ever saw that behavior?
same behavior with Apple Configurator + a manual profile
Not seen that no.
Tried removing then reinstalling the profile rather than just update?
Install 2.0 profile them remove original??
Yes report to apple is a good shot... Sounds like a bug.
Also tested the second profile installation and removing the first one, same behavior
Maybe it's better to report it on apple's bugreporter as I don't think they officially monitor openradar. https://bugreport.apple.com/web/
*Thread Reply:* Openradar is only to show to the community which are the open radar while Apple doesn’t provide any access to bugs reported.
I had the privilege to work on this 3 years ago.
is anyone having issues with DEP enrolment today?
i have a number of users reporting hanging at the "deployment" window
@Simon Hardy-Bistagne you can’t get past setup assistant on devices? Or can’t view the online DEP portal?
just had a couple of users reporting issues around downloadin the config from the dep server
The DEP process is split into two parts: Apple and your MDM. The Apple part is just after the WiFi screen. If they are prompted for User ID and Password, and THEN it is failing, then it’s your MDM that’s not doing it’s thing.
That “Apple Part” tells the device (a) which setup screens to skip and (b) the MDM enrollment URL to use after the setup screens.
Yep, that's as I understood it to work.
This is all before any engagement with the MDM. So during the download of the dep config from Apple.
We haven’t heard of any issues with our devices this morning. All of our corporate issued iOS devices are in DEP.
I didn’t see any issues with DEP either.
Anyone know if DEP under business manager will possess the ability to support modern auth?
The Intune way around this is to skip user auth until the agent install which just makes my head hurt...
about this MS Article: https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-third-party-emm
Which App bundle ID should I assign to the managed appconfig?
Depends on which apps you would like to manage. What is your use-case?
All the o365 apps (Word, Excel, PPT, OneDrive, teams and others)
The use case is to prevent documents open-in to non corporate accounts such as Dropbox within the office apps
You do not need to have the Bundle IDs for this, at least if you are using a MDM or Intune itself. What are you using?
Here are the bundle IDs that MobileIron sees as Intune SDK apps:
Wasn't able to get a simple list. But in the JSON, search for the app you need and then the "appIdentifier"
Hi @Mark Vonk not sure you sent me the right file
When I deploy a managed app config I need to specify which managed app will receive this configuration plist
If I understand the doc provided correctly I can send this Plist to the app
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IntuneMAMUPN</key> <string>$USER_UPN$</string> </dict> </plist>
Hi @NicolasR: that will not work. You can't send the configurations using a appconfig. You will need to use Intune or the Graph API (or a MDM that can target the Graph API). Only with these, can you send the proprietary Microsoft configuration to these apps. A managed app config does not allow you to change that kind of settings (DLP settings in Intune SDK apps)
Extract from this article: https://www.mobileiron.com/en/blog/solving-office-365s-multi-identity-crisis-ios
Solution: Deploy iOS managed app configuration to Office 365 apps
In iOS 7, Apple introduced managed app configuration. This configuration allows an administrator to remotely configure and populate app settings for managed apps on managed devices. Managed app configurations follow a standardized format and do not require proprietary SDKs or app wrappers.
Microsoft Office apps support iOS managed app configurations such as “IntuneMAMUPN,” which allows the MobileIron administrator to set up the Office 365 work account in each Microsoft app. When Microsoft apps are deployed with IntuneMAMUPN, attachments opened from a managed app into Microsoft apps are treated as work documents. For example, an attachment opened from a managed iOS native email account into a Microsoft app can only be saved into the Office 365 work account specified by the managed app configuration. To learn more about deploying IntuneMAMUPN, see Microsoft’s documentation here.
They do support it to have the UPN set. But you will still need Intune or use of the Graph api to actually set the DLP settings.
So, you can use the managed app config to have MobileIron populate the app with the users' UPN
But that UPN must still be known in Azure AD and for that user in Azure, there must be some configuration configured for Intune SDK apps
ie. you can't configure DLP settings in Intune SDK apps, without an Intune license and Intune app configurations or an MDM that uses the Graph API to configure those app configurations for you.
This document is very unclear: https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-third-party-emm. I do not know what to make of it; if Intune app protection policies are needed for this or not.
But you can always try by just sending the PLIST. It seems like the app (Word for example) will respect managed vs unmanaged Open In on iOS. In the JSON i have sent before, all Microsoft and 3rd party apps that should be able to use it are listed (https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps). It's in JSON format, so you need to search for the App you need and there it will have the App Bundle ID.
@here Anyone know if a way to determine what URLs an iOS app is calling? Trying to troubleshoot the Workspace ONE client. Unfortunately, the console of the device doesn’t show enough to go on.
*Thread Reply:* Update: Was able to engage the frustration shake and pull logs from within the app. Apparently WS1 is doing some sort of lookup on my device and redirecting me to an AirWatch tenant that’s not actually mine.
*Thread Reply:* Yeah! Kind of interesting. I sent the details over to their team and anxiously await more detail as to how the internal flow of that function works
*Thread Reply:* So is it going to an actual other AW instance or just an unknown URL?
*Thread Reply:* I’m having a hard time understanding how that could happen. That is nuts.
*Thread Reply:* Well, this WS1 tenant was switched back and forth between a couple AW instances. I think it may have gotten mixed-up in the shuffle
*Thread Reply:* I kind of understood WS1 would use the OD name to lookup the AW tenant… and I think that may be where the wheels came off
*Thread Reply:* Senility seeing in with AirWatch hey!
*Thread Reply:* plug in xCode and hit Go.
Has anyone updated to the new Apple Business Manager portal? If so, any issues with the EMM DEP or VPP integrations during the migration?
*Thread Reply:* Not yet... But want to hear the answer from anyone who has!
Our apple reps have all told us there will be no issues...
*Thread Reply:* We migrated DEP. Working on VPP. DEP migration was touchy. They said we didn’t need to recreate the DEP tokens, but we did. So, there’s that.
*Thread Reply:* Eww recreating the tokens...
*Thread Reply:* We talked with Apple as well and they said the same thing to us: would be no issues.
Definitely want to upgrade.
*Thread Reply:* Already having the default EMM endpoint based off of device type has helped us immensely.
*Thread Reply:* Token re-creation was really just like a renewal.
*Thread Reply:* Not super bad, but not expected either.
*Thread Reply:* Default EMM Endpoint, as in iPad goes here, iPhone goes there @jafullersr?
*Thread Reply:* Not much risk in token recreation. Devices already have profiles assigned... but with VPP there is more risk. Good luck!
*Thread Reply:* Yes, we set specific endpoints for specific devices due to purpose built configurations. @Woody So far it’s been working great.
*Thread Reply:* I appreciate all the feedback. @jafullersr what was touchy about the DEP migration other than the recreation of the DEP tokens?
*Thread Reply:* I migrated a DEP account with 20 tokens
*Thread Reply:* VPP sToken for the program agent (first DEP admin) was also migrated when I enabled VPP
*Thread Reply:* I do see issues with other existing VPP sTokens created by other admins in my domain though.. You can point them to a “Location” in ABM but I don’t believe they are really added to the ABM portal
*Thread Reply:* Or at least, the other tokens aren’t reflected in the license totals for all of my VPP tokens
You mean how can you deploy Outlook for use only by managed devices? For use with on premise or O365 mailboxes?
Our users want to use the outlook app with mi and on On prem exchange
@macbentosh are you using Sentry? If yes, does that imply that you’d like to use the Outlook app with ActiveSync or perhaps EWS through Tunnel, etc?
Do you have any frosted identity provider (ping eg?)
We've done this with AirWatch and ping so that only enrolled devices get access to outlook mobile app.
@Simon Hardy-Bistagne Can you describe a bit more on how you tied them together? I want to do this.
*Thread Reply:* So... We have ping infront of office365 carrying out the authentication.
Ping has a connector into Airwatch so that as a part of its policy you can set that the device accessing must show as compliant in Airwatch.
The rest of the ping rule is written so that any mobile device accessing office 365 via the outlook mobile app must be compliant within Airwatch.
Of course the rule only applys to mobile traffic not desktop.
This allows us to basically allow an office 365 conditional access rule to all mobile devices using outlook mobile, but only ones Airwatch say are compliant will get through.
Just one thing to consider, ping does device ID via certificate so you will need a pki setup deploying certificates.
*Thread Reply:* Thanks @Simon Hardy-Bistagne
*Thread Reply:* Nice explanation, @Simon Hardy-Bistagne!
*Thread Reply:* We do something similar except that we also do mobileSSO via ViDM so no passwords to worry about!
*Thread Reply:* @Woody you remember our in-depth discussions on that ! 😆
*Thread Reply:* Oh yes @Damian! I’m all about that haha
*Thread Reply:* Doing lots of it with WS1/AirWatch (and now MI Access)
*Thread Reply:* Good to hear man - exciting times with IDM and mobility!
Hello @here Does anyone knows what Apple means by "improves the reliability of syncing mail, contacts, and notes with Exchange accounts." in iOS 11.4.1 release notes?
That’s my guess. Err on the side of fixing something that wasn’t working right, as opposed to introducing some new feature in a .1 release
The security notes for 11.4.1 don’t list anything specific so it’s likely just some functional tweaks, maybe around some recent updates with Activesync ’16
Any particular issue you were hoping it would correct, @NicolasR?
Having issues with a customer and Exchange 2013 CU 19 but we don't know if it's device side issue or MobileIron issue...
We have some cases where activesync was not reliable, especially new mail notifications. Basically the ActiveSync ping (to keep the session alive) was not occurring when the mail app was not active. This seems, so far, fixed in 11.4.1
Some ABM stuff - https://www.mobileiron.com/en/blog/5-reasons-you-should-begin-using-apple-business-manager-today
Interested in peoples experiences with Apple Business Manager so far
especially with multiple VPP tokens in the organization
Transition seems smoother than when they pushed EDU clients over to ASM, so no hiccups there. Honestly haven’t heard of any clients taking advantage of the newest of features, most seem to just treat it as a new UI, do the transfer over, then forget about it
We’re off-loading apps that are no longer in use or have a purpose to a “parking lot” VPP token which would move it off of our production VPP token and clear it from visibility in the EMM. We also use the device specific routing for specific enrollment end-points which is a huge help for us over straight DEP.
Calendar app will be in managed open-in restrictions with iOS 12 🙂
no release notes about this, it's an info from Apple directly
@Alex Chappuis has joined the channel
About managed open in "Apple has confirmed that this the intended behavior for the Contacts app in iOS 11.3, but has added new restrictions for iOS 12 beta 6+ to permit the older behavior at administrator discretion"
<key>allowManagedToWriteUnmanagedContacts</key> <true/> <key>allowUnmanagedToReadManagedContacts</key> <true/>
Good news they allow to distinguish read and write!!
@NicolasR in their confirmation of this, did you happen to find any accompanying documentation in the dev pages or otherwise?
This was an announcement from MobileIron but sure you’ll be able to find something in the profile reference that includes iOS 12
@Wolfgang Bauer has joined the channel
@aaron We have a need to be able to pull the iOS image off of some devices that are in Apple DEP. We use MobileIron, and in our Apple DEP Profile, we have disallowed pairing. However, we created a Pairing certificate in Apple Configurator on our Mac, and added that to the DEP profile. I assumed that this would allow us to pair a device with a computer which had this certificate. We are unable to get the device which has the DEP profile with the pairing certificate paired with the laptop. Any ideas?
Hey @onires53 — Did you add that pairing certificate (aka “Supervision Identity”) after those iOS devices were already set up? If so it won’t have an effect. DEP does its thing ONLY during initial setup.
So the DEP profile settings that were in effect when you set up the device will stick with the device until you erase it.
My suggestion: use iCloud to back up (I know…), erase the devices with the new DEP settings, restore from iCloud, and then back them up.
Thanks @aaron. We are 99.9999% sure that the phone was deployed after the pairing certificate was added the the DEP profile. We tried with another device as well and got the same error. I'm wondering if we setup the pairing certificate incorrectly.
gmail gsuite, iOS mail, mfa...
Do i really have to manually generate an app password to use iOS mail?
From my recent experience it was mixed. One device setup gmail from gsuite with no issues…. other device it just wouldnt setup and went through the whole App password config and then back to the device to start setup again.. and bingo1
@Matthew Shaver @NicolasR Contact app behaviour restrictions are now part of the Apple configuration profile reference: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf Page 73
Has anyone had any luck deploying wallpaper to a supervised device using a custom profile?
@Simon Hardy-Bistagne Wallpaper can not be distributed by configuration profile. It is a direct MDM command instead. I don’t know why Apple chose to implement it this way.
The only thing a config profile can do is PREVENT users from changing the wallpaper, and only on supervised devices.
MDM can set wallpaper (again only for supervised devices). The implementation depends on the MDM.
I think it would have been more appropriate to set wallpaper via config profile, much like how icon arrangement is set.
EMM’s can also set the icon placement as well (I know MaaS can do this)
Thanks Aaron! Thought so but that's life.
Has anyone found a way to restrict or manage widgets in iOS?
By default we want to keep that pane on the device clear of widgets. The user of the device may add some, but from the get go, we would like it to be clear of widgets.
I may be wrong but I’m not aware of any Mdm controls for the widgets. I know for example you can remove the news one if you disallow the use of news in application policies. Widgets have an extension of .widget and perhaps some has found a way to block them?
I've not tried it... But I did hear that the widgets actually carry a separate app id, and can be white listed and black listed using that if, while keeping the app it's self untouched
@jafullersr GroundControl can manage them using a master backup. Remove the widgets from the master and we will copy that to devices. That’s assuming it is these sorts of corporate devices.
I know that they’re signed extensions, but they’re not deployed independently from the application. So, I don’t believe there is the ability to white/blacklist them as they’re not specific apps running, they’re signed, trusted extensions of the main app. @aaron, I wish it were such for our deployment model that we could restore, but that isn’t in the cards at this point. Great solution for my use case though.
Hey guys, will a restore from an unsupervised backup (iTunes or iCloud) break the DEP supervision? How is the official procedure to restore a backup for DEP devices? I know there has been a way with a second device. Can‘t find anything official with Apple on this.
If it is a restore of that same device, and it wasn't originally a DEP supervised device, they it will restore as unsupervised.
If is a new DEP device, being restored from a backup from a different device, then it will continue to be supervised correctly.
AFAIK you still can't restore from iTunes in DEP if it was unsupervised at time of backup
Ah ok, which is not so bad, right? because having users breaking the supervision with a restore is not the goal.
Exactly.
The only time I've ever really found this to be an issue is where either;
A) a carrier has been adding device to our DEP portal and they've not been assigned to our mdm server before the user has activated it
B) we have done a historical addition by asking our carrier to add all iOS devices we've bought in the last 7 years to the portal.
Net new devices which are dispatched as DEP it's not a problem
Well we have a lot of customers which have never used DEP (nor manual supervision via AC2) so all the backups are from unsupervised non-DEP devices. The new devices will be supervised DEP devices of course, but this always brings up the question: how can I restore my data? iCloud backups are not welcome, so if there is no way with iTunes the answer will be pretty straight forward.
Yeah it's always a fun question.
Our config is simply to allow iCloud backups, but with AirWatch we block corporate apps/data from backing up to iCloud so it's really just he personal data, and app meta data being backed up.
Gives a good balance.
The biggest problem we had with iCloud backups was that people used personal iTunes accounts (which isn't an issue) however that then locked the deivce to them if they left the comany.... OF course, DEP solves this.
You may also recommend other software like "iMazing" which does a good job! Best practice = don't recommend iTunes or iCloud restore on supervised devices
*Thread Reply:* That iMazing sounds good. Gotta give it a try! Thanks 👍:skintone2:
Tenuously related, Apple are starting to call it "device enrolment" going forward and dropping DEP. Apparently DEP is offensive in German? 😅 Confirmed by an apple guy on a call yesterday
As long as you don‘t call the apple guy DEP(P) you are safe Jason! 😂
"Do you guys have DEP there?" "A few actually, but what about mobile devices?"
I think Apple is just tired of creating products that can so easily be mispronounced - iPhone Ex OS Ex Depp
But if you stop using abbreviations because they mean something rude in one country you can pretty much ban all of them. For example in China even number 4 is viewed as unlucky but they didn't skip iOS (or iPhone) 4 🙂 But anyway.. Device Enrolment it is 🙂 Thanks for the heads-up!
I see it... I always think clothing sizes.... I don't think it will be extra small though... The price tag sure as hell won't be.
I thought XS was strange too... But this is from the company that thought iPad was a good name 🤣
I’m helping someone setup some iPad as kiosk with a website. Do you recommend to use Safari as the browser or have another app?
I need to lock the iPad to a single website and I’m not sure that Safari is the best way to do it.
@Jeremy You can lock down Safari if the iPad is supervised. A web clip will help if you set it up as “Full Screen” (i.e. there won’t be an address bar). In addition use Apple Configurator to add a “Content Filter” to allow “Specific Websites Only”
You may also want to add restrictions to turn off autofill.
That”s what I thought 😉 I can lock down to the webclip correct ?
Hi Jeremy, Safari is working nicely with the single app mode. You can also add a web filter so that only 1 website can be opened. It will even show in the safari sidebar (like bookmarks). Using a webclip will not lock the iPad. You have to define a single app mode policy and also the web filtering profile.
Yes. There’s no way to do single app mode on a web clip. Only Safari.
Migrating supervised iOS devices from one EMM platform to another.... GO....!
Ooooh.... so can you tell which platforms and are you using a migration tool?
Yeah... I'm hoping that the nuclear option isn't the only one, and that there is some obscure other way to do it...
I'm looking at a migration platform called EBF Onboarder... but it's more of a logical management of the tasks and accounts... the end user still needs to carry out some work on their end (although limited)
Have you looked at Wave from Digital Dimension as well?
http://mobility.digitaldimension.solutions/en/emm-migration/
I do not see any other way than to "factory reset" it. The device needs to pick up the fact that it's tied to another MDM and be supervised by the other MDM. Only happens during the "activation" prior to the Setup Assistant. Migration tools focus on making the process more user friendly, but the steps are, in the end, all the same.
agreed, for those who are already under DEP/supervised... a reset is the only option
although an icloud backup and restore would be most useful i think
@Simon Hardy-Bistagne there are other ways. A DEP device can be unenrolled (retired) by the MDM, even if the profile is “unremovable”.
You can then install an enrollment config profile for the new MDM.
The new profile will, however, be removable by the end user.
If the devices are supervised and if you happen to have a supervision identity handy, this can be done via USB without user interaction.
But it can also be done over the air, as long as the user taps on the screen in the right order.
Yes, this was what i was thinking. DEP for us its more around secure enforced enrolment rather than actually using the supervised rules...
I'm running some tests around running enterprise wipes, user unenrolling etc and then manually enrolling into intune.
At some point you’ll switch the devices from one MDM to the other in Apple’s DEP portal/Apple Business Manager. But you know this has no effect unless the device is reset.
Maybe GroundControl can be helpful? By plugging in a device, we can send the retire API command to the old MDM, then install the enrollment profile into InTune.
If we plan on actually mking thr change then we'll just repoint the DEP to the right MDM, and move the serials over
did anyone tested the "allowUnmanagedToReadManagedContacts" key value pair in iOS 12?
*Thread Reply:* Yes it unfortunately works for us 🙂 Because I don't see my corp contacts in Whatsapp
*Thread Reply:* And I created a lot of personal contacts in the corp address book by mistake because it doesn't give you the choice or remind you when you create them.. It just picks the 'default' that's buried in settings and resets every time you re-enroll. DOH
*Thread Reply:* This doesn’t work then as this should allow to see contacts in WhatsApp
*Thread Reply:* Oh yeah sorry, good point! But I don't know whether we had the key set or not. I assume not as our Intune test config is quite restrictive. We also disallow third party keyboards.
I was assuming the key you mentioned was a restriction key. I'll check it tomorrow!
*Thread Reply:* This key is new and surely intune has not this in the UI. You need to add it manually through plist file
We have a ticket with Apple, it’s not working correctly
It **appears that it’s not working correctly, I should say
Tested on iOS 12 GM, works on supervised device but the restrictions is not shown in the restrictions menu in Settings > General > MDM profile
Non supervised doesn’t work but WHY THE FUCK WE NEED SUPERVISION FOR THIS???
All iOS corporate owned will soon be supervised. It’s how they’re segmenting BYO from Corp.
^this.. is why I hate intune... No ability to select ownership at enrolment and defaulting to byo...
Countries where DEP isnt available means I can't catagorise devices correctly...
THere are two new policy features for the contact export - one is Supervised the other is not I believe
But it looks like their documentation for implementation was not correct, and that could be part of it
When we have more information on our Apple ticket, I’ll update
Yes I know that Apple separates BYO / CORP devices through supervision but this feature is not a risk for user privacy. It’s the opposite ! It’s only a risk for corporate data
It’s inherently disabled, correct? So you really only need the setting if you want to enable unmanaged apps access to contacts?
There is AllowManagedtoWriteUnmanagedContacts - This should be non-supervised and allow managed apps to push contacts to unmanaged apps.
AllowUnmanagedToReadManagedContacts would allow the unmanaged app to read contacts from a managed app - this is Supervised only, but this property is null if the former is set to True.
What’s new and different is that these payloads have a note that states: A payload that sets this to True must be installed via MDM. I’ve never seen that note in a payload before
Indeed... but again I don’t understand why this is for supervised only...
I think the latter is supervised just because it allows an unmanaged app to read from a managed app, whereas the former is a managed app pushing data out. Just a guess though
Anyone know the app ID for the “Measure” App
@Matthew Shaver Looks like com.apple.measure, based on this: https://github.com/joeblau/apple-bundle-identifiers
Thanks! keeping my fingers crossed this is correct. It follows the same naming convention as their others, so it’s a safe bet
Hi, we tested AllowManagedtoWriteUnmanagedContacts and AllowUnmanagedToReadManagedContacts for a Swiss customer with all use cases, also in combination to "allow from unmanaged to managed and vice-versa". Everything works as documented (and also on a supervised device). For email+ (as an example) we still have to keep in mind that the unmanaged data is not deleted automatically when the app is removed. The user has to clean the contacts from Email+ or manually.
From Apple case: Nicolas,
I have gotten confirmation that supervision should not play any role in the “allowUnmanagedToReadManagedContacts” from working. That said, we are tracking a few other unexpected behaviors that may be applicable. Let me know if your deployment meets any of the conditions below:
1) No applicable native Mail account is configured via MDM because users are using a 3rd party for their business email.
2) Are you also pushing other ManagedOpenIn restrictions? We have found that when Managed Open In restrictions are enabled on a device and the allowManagedToWriteUnmanagedContacts restriction is set to True managed apps are still unable to write to the local Contacts storage.
If your experiences match these conditions, our Product Engineering team is working on resolving this behavior. If you are reporting something different, we should get on a call to discuss this further.
I would also be open to a call early next week to discuss in general as well if you have any further questions or concerns.
Let me know.
Thank you, Daniel Morris Platform Support Engineering
Curious, has anyone used the Cert-Based AppConfig in the Salesforce app?
Does that only fly if your Salesforce tenant accepts CBA as a form of auth?
So.... 1st to a 1,000 iOS12 devices wins a prize?
#MeToo 🙂 across all our customers?
Other question: we're struggling with MobileIron since more than 6 months to troubleshoot the Send Activation Lock Bypass code feature (Since Core 9.6.0.2 and iOS 10.x) - with DEP devices - the feature does not seem to be reliable with MobileIron. Do you have the same issue? I tested today Core 10.0.0.3 and iOS 12 and the Code is not shown at all in the admin Portal.... quite annoying for customers!
Can't comment on MI... but why not disable it from the start?
I mean : the iOS device is locked with Find my Iphone and it's supervised + DEP and the Activation "unlock" can be sent from the EMM normally. I heard some rumours that Apple is just telling to customers that MobileIron is not really compatible with this feature
We’ve seen some unreliable behavior on the manual codes. We have yet to be able to reproduce, but we get client reports that the codes don’t work in any scenario on occasion (not on MI, mind you) so I think that maybe there have just been hit or miss issues with the apple activation servers that handle this info
This is actually a known issue at Mobileiron. Should be fixed in Core 10.1
PSA: If you want to defer software update for 90 days on supervised devices running 11.3+, you can do it even if your MDM doesn’t expose the feature. Distribute this config profile to your devices: http://static.groundctl.com/assets/Defer_Software_Updates_90_Days.mobileconfig
I don’t think they publish this data, but if I had to guess, I’d say once every 24 hours, which is why you always see multiple apps updating at the same time.
Yep... just checked my iPad here in France and it’s picking it up...
If it’s your own one it doesn’t count ;)
No it's not, I was already on the beta. Or is it your iPad?
The GM is essentially the one they end up rolling out barring any major issues within a 24 hr period. I got it yesterday and I have no update notification on my device
My finger keeps hovering over that button which forces the update...!!
We’re up to 9,100 on 12 so far. Surprising amount folks still on 11.0.1 for some reason
I see 12.1 showing up now too. Thank you Public Beta.
Indeed... looks like Group FaceTime beta is back
Has anyone else an issue with iOS12 devices not showing the IMEI - on the device it is visible, but not via Intune which causes a problem with the corporate identifiers.
I'm looking now and can see the IMEI for existing devices which updated.
I've not got any i can check for new enrolments already on iOS122 though.
I believe handling of UDID has changed, but you’d need to confirm that with Apple. for those who haven’t seen it: https://help.apple.com/deployment/mdm/
IMEI.. predeclared devices with Config Mgr and Intune seems to have problems. Working on it with MS
Guys, anything on the radar for bluetooth caller id to work without the contacts being synced into the native contacts?
*Thread Reply:* I believe this is tied to a feature called callkit. It was made for VOIP apps, but as I understand it other apps can use it’s code to display contacts for incoming calls
*Thread Reply:* If the app is using CallKit, you can enable it using Settings / Phone / Call Blocking & Identification. If your app supports it, you can allow it here to provide the Caller ID.
*Thread Reply:* So basically what you are saying is that the caller id resolution should work when connected to car via Bluetooth using iOS Email+? Because Email+ uses the callkit!
*Thread Reply:* Yes; when you enable the Email+ app to be used for identification, and you receive a phone call, the contacts in Email+ will be used to identify the caller ID. But there are some limitations; maybe you car only copies the contacts and shows only contacts copied for example.
*Thread Reply:* Yeah well no clue but caller id resolution definitely does not work when connected to car Bluetooth
*Thread Reply:* Does it work at all? So without BT and a connected car?
*Thread Reply:* It works on the phone, but not on the car display while connected! 😊
*Thread Reply:* Ok, so it's really a matter of how the car interacts with the device. It probably just copies the local contacts (native contacts app) and uses those for the caller ID. Not much you can do about that. Maybe talk to the car manufacturer... or buy a car with CarPlay 🙂
Dinners anyone else get continuing issues with Apple dep services recurving the"invalid profile" error??
We seem to get more and more recently.
We’ve noticed a significant increase in reports over the last year or so. A restore via iTunes usually resolves it, but leaves me wondering if there are communication issues between the device and activation servers. It never happens on DEP devices enrolled via Apple Config, only over-the-air
Yes we've seen a significant increase over the last year.
There seems to be a relationship between the carrier they're on and the number of issues (eg we have more users on Rodgers in Canadian and orange in France reporting issues and almost none on at&t in the US which has a larger user base).
I've raised this one with Apple... But glad it's not just me...
Our resolution is a dfu restore as a normal restore doesn't seem to get it up and running again.
Anyone having trouble with users enrolling any of the new iPhones?
Yeah we have faced the transport known issue with iOS12
Have any of you fine folks come across any odd “managed to unmanaged” behavior since updating to iOS12? Specifically around calendars this time
I’m working on it now, but I’ll lay it out here so others can try: With iOS 11.3.x while restricting managed app to unmanaged app sharing, the contact share broke, but Calendars in an email account configured to the iOS mail agent could still be “read” by an unmanaged app. It seems that is no longer the case with iOS 12. I’m testing to see if the new contacts restrictions will “fix” calendars as well, or if Apple has cut off another feature
*Thread Reply:* What app did you test this with?
*Thread Reply:* I can't find an app with that name, maybe not available in my store (country). However tried some other apps (calendar widgets) and those still seem to be able to get the managed calendar info.
*Thread Reply:* This is with MobileIron as MDM. Restriction set for Managed to Unmanaged. Weird issue!
*Thread Reply:* Funny thing, I am getting customer feedback that it's not working anymore also.
*Thread Reply:* For example, this app has a FAQ item on it: https://weekcalendar.zendesk.com/hc/en-us/articles/360016079071-Exchange-Calendar-Invisible-iOS12-MDM
Curious - Anyone ever notice how if you enable Automatic Reply AND update your response message at the same time… iOS will only keep the the fact that you turned on Automatic Reply? It totally discards the new response until you enable, exit and then add. I think its been this way for me since… iOS 10 or so?
Hey all. @Russell Mohr and @Jack Madden and I recorded a podcast about iOS 12 from an enterprise point of view. I hope you enjoy. https://www.brianmadden.com/podcast/Aaron-Freimark-and-Russ-Mohr-talk-iOS-12-BrianMaddencom-Podcast-136
*Thread Reply:* I re-listened to the whole thing last night—It’s pretty good 🙂
@here is anyone seeing and getting reports on iOS 12 and Exchange ActiveSync issues (ActiveSync reset, slow of no sync at all)?
And we did have many issues with ActiveSync last year with iOS 11. However we do use O365 not on-prem Exchange
I am seeing it myself on Exchange Online, but also customer(s) reporting issues. Might not be related, but just wanted to check. Thanks @Tycho
Okay. I’ve been using iOS 12 w/ Exchange Online (O365) for awhile with no issues. However, I’m using the OAuth approach not EAS.
I believe @Jonathan Henson is running plenty of iOS 12 w/ On-Prem EAS 2013
Eol here with a few thousand iOS 12 devices. Actuvesync rather than oauth for the profiles and no issues reported.
We haven't had any issues reported with EAS on iOS 12 devices from Exchange 2013. With that said, a few individuals were unable to create their initial EAS association after being migrated from a previous version to Exchange to Exchange 2013. Those few users needed to have 'inherit permissions' checked on the account to allow for the initial EAS association to be created.
Anyone tried distributing iOS 12 Shortcuts across an MDM/EMM/UEM? Any advice?
Exactly. Was away for the weekend, so haven't been able to test yet
A web clip opens the App Store to the Shortcuts app rather than the actual shortcut in the Shortcut app. Do you know if the Shortcut app has a URL scheme?
Seems to be a data:text/html;<base64 data> data string, but haven’t played with this today.
What I mean is that apps can designate a URL scheme that will allow you to open content or send data directly to the app. Safari responds to http:// or https://. The VMware Secure Browser is awb:// or awbs://. I’m curious if there is a way to interact with Shortcuts in the same way.
Tweetbot uses: tweetbot:// So you can get the timeline of a user with: tweetbot://<screenname>/timeline
Ah, I see. Not tested. This was the string that the homescreen webclib displayed. I didn’t have time to investigate any further since
i think they're "deep links". I've used them for Yammer, and Box links too). Fun fact, you can use facetime://<AppleID> in your email signature for single click facetime calls.
I’m familiar with these protocol URL calls, but didn’t know that they were called deep links. Learn something new everyday…
Taken from https://sharecuts.app
Yep, but this is importing the workflow into Shortcuts. It doesn’t create the webclip itself.
Is there a <shortcuts://run-workflow?url=>... or similar?
Yup, to distribute to a number of devices. Can it be done?
Is there any way using MI Core to enforce FindMyPhone to be enable on all devices, and also stop the user to disable it?
It isn’t a MI limitation, it’s an Apple limitation. But if your devices are supervised (DEP, usually), then you have “Lost Mode” which can’t be disabled.
With lost mode, GPS coordinates are sent back to MobileIron, and the device becomes locked with a message of your choice.
Thanks Aaron. Yes, devices are supervised and DEP. We tested what you suggested and it worked perfectly. It is good to know that it is an Apple restriction rather than a MI one.
Yeah, Apple has a problem allowing business to spy on employee’s locations without notification. That’s one reason Lost Mode locks the device.
Tip: Lost Mode seems to work even if someone turns off Location Services.
Anyone hearing any rumblings about DEP issues today?
At this point, it’s just YouTube this and YouTube that
We've not had anything raised by our users.
I’ve been having VPP issues in business.apple.com
Only that I keep calling it DEP, when I’m told that it should be simply “Device Enrolment”… 😂
I can’t help but say “DEP Program”. Ugh… Redundant Acronyms
Always Be M… ? Mobile? Multitasking? Making acronyms?
That's the guy I call when I need to place an order for new MacBooks yeah?
https://gizmodo.com/apple-reportedly-blocked-police-iphone-hacking-tool-and-1829974710
Anyone have a US based DEP enrollment going on today that can answer a question - when you are going through the enrollment process on the “Remote Management” screen, when you tap “About Remote Management” does the address displayed show the State in the listing or just the city?
@Daniël Kraaijeveld has joined the channel
@Matthew Shaver AppleSeed for IT has more info on that, see the last sentence especially. > Profile Installation >iOS 12.1.1 beta 1 introduces a new workflow for manually installing configuration profiles. When you manually install a profile, for example from a website or an email message, you will receive a notification that the profile has been downloaded. To install the profile you must launch Settings and tap General then tap Profiles or Devices Management. You will see a list of Downloaded Profiles. You can inspect each one and install or delete it. If you do not install the profile within 24 hours of downloading it, it will be deleted automatically. > >There is no change for profiles installed by Mobile Device Management (MDM), or for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, this does change the workflow for manually enrolling in MDM. Please test your MDM enrollment workflow and file feedback for any problems you find. > >Apple plans to test this workflow in iOS 12.1.1 beta but revert it in iOS 12.1.1 GM. We plan to include it in a future iOS 12 GM update.
I provided them some feedback and they sent that through. Thanks! I’m finding a few issues with it, mostly that it no longer respects the DEP Profile if the device re-enrolls without reset
It’s also a bit annoying that there is no difference in the workflow if the device is supervised, it adds taps which always angers the admins
Via DEP, yes, I haven’t tried the Apple Configurator workflow yet
It’s not recognizing the supervision in AC2, may just be a beta bug though
It was making me go to the settings and tap install just like the manual workflow
So from the note there I assume that further profiles installed via MDM (updates WiFi, mail, Vpn profiles etc) will still install silently with or without dep?
Anyone playing with the 12.1.1 Beta 2? Interesting behavior I’m seeing regarding iOS MDM profile “Downloads”. Doesn’t force install. Just installs to Settings, then advises to install if you want to keep it.
BYOD. Direct enroll against Workspace ONE UEM (or inside one of the agents). No DEP involved.
Wow. One more step to ask BYOD users to deal with.
Admittedly I’ve been testing out all the new Workspace ONE UEM + ViDM + App consolidation updates, but I think this is a result of something on the iOS side. I can’t see something like that sticking around. You’re lucky to get a user to complete enrollment as-is. That would surely drive the enrollment abandonment rates through the roof.
That's going to suck just a little more for customers not supervising their estate (of which I know many).
It’s going to suck majorly for us.... we have dep enabled... but only in about 15 countries... less than half our user estate.
*Thread Reply:* FWIW Apple has done this UAMDM on Mac for a while (since 10.13.2), this is why I amended the process to enable the user to manually click that.
The biggest change actually is that under High Sierra it wasn't super needed, the only real actual ability that was blocked without it was the loading of kernel modules. But in Mojave there are a bit more things under it.
It’s baffling. Google are over here working to improve the work/personal divide while ensuring a smooth and simple enrolment process, while Apple flip IT the bird and actively make it more difficult to enrol a BYOD device.
If you’re duped into downloading a profile in the first place, I don’t see how adding an extra step will stop you from installing it, really.
Apple’s making it more difficult for a user to enroll a device into MDM without thinking twice. Lots of us will tap on a dialog by muscle memory. Modifying Settings? Not so common.
I’m sure Apple also has in mind two phones for each of us: work (easy to enroll) and personal (easy to keep work away).
*Thread Reply:* But yet they still haven't added a work profile mode which I really love on Android because it allows you to keep the work part completely separate. I really wish Apple would do that.
*Thread Reply:* I think the UX on work profile is really great. One tap and all work stuff is off, and you can still use the same apps for personal use.
*Thread Reply:* Thanks for explaining that. I’m deep in the Apple bubble, so was only partially aware of that. Seems like something Apple could easily implement for unsupervised devices.
*Thread Reply:* Or even supervised ones, as long as there is an option to disable.
*Thread Reply:* Yes that's the big benefit of work profile mode. It's ideal for BYO scenarios. It creates a container on your phone with all your work stuff, and only that container is managed by the company. The MDM can only 'see' inside the container, e.g. it can't even see what apps you have installed personally.
So it's a good balance between privacy and security. Any apps installed into the profile will get a badge on top so you can tell the difference between them and the same app on your general phone. You also have separate storage so you can make sure corp. info can't be shared to personal apps if you like (we do this). And I really like the way I can just toggle the work profile off, which means all notifications will be muted (and even the background app update disabled for work apps).
*Thread Reply:* With Apple you only have the full enrolment option really (though you do have the supervised/non supervised difference)
*Thread Reply:* What happens if you have the same app in both work and personal? Two copies?
*Thread Reply:* Yep. Work Camera and Personal Camera etc
*Thread Reply:* That wouldn’t be the Apple way then.
*Thread Reply:* Not in the way Android do it, but they wouldn't necessarily have to implement it in the same way. I could see Apple making something where you "flip" the screen around to a second homescreen for business. Until recently a dual-sim phone wasn't Apple's way either but they turned that around too.
They'd just make the difference more clear. And the 2 camera's aren't a good example, they're not needed in most cases because you can usually share from personal -> Work, just not the other way around. But having 2 mail apps is quite handy IMO. I just wish they were a bit easier to tell apart, there's only a tiny overlay while using them. Having one with a work branding or different tint colour would be better.
Especially considering Apple's pricing now I don't think they can keep expecting people to buy phones privately if they already get one for business 🙂 It's really what put me off Apple. I've been using Macs since OSX 10.2 and iPhones since the iPhone 1. But I really won't consider spending as much on a phone as they're asking now...
And I think while Google's way is not perfect it's definitely an out of the box rethink that better addresses how to combine work use with private use. For example: One thing that I really don't like with Apple's way is how easy it is to mistakenly create a contact in the wrong address book. Most of my personal contacts on my iPhone were in the work address book so when I unenrolled it from MDM they all disappeared from my phone. I've also several times sent an email to colleagues from my private address by mistake which caused the email address to be added to their reply lists, and it took a long time to get that address off everyone's address books again 🙂
*Thread Reply:* Great response. Much to think about.
I don’t doubt that for a moment. The road back to 1 trillion was never going to be easy (for the end user) 😄
Has anyone ever heard of a carrier or supplier charging to add devices to the DEP portal on dispatch?
We have a carrier in India looking to charge us something like a couple of euros per device to simply add it to the portal.
We already have 20 supplier on our portal who don't change, just wondering if anyone has seen anyone doing this?
Nope, and I would think this breaches Apple’s Ts&Cs. Ask them to put it in writing so that you can discuss with Apple? 😂
Yes it does breach Apple’s terms and conditions. I know that Apple here is very strict in this and will throw the supplier out of the DEP program.
@Jason Bayton I’ve not seen this and would be surprised if that were the case. EE/BT and Telefonica may have minimum size limits, but that’s a separate issue.
Thank the Lord for Configurator self-enrolment into DEP.
I have a feeling that it’s to do with the distributors.
If you buy direct from DEP Providors I expect they don’t charge as they’re contracted not too.
But if you buy from somewhere that isn’t supplying the device themselves but are using a 3rd part distributor like Ingram micro, they may be being charged a nominal fee by them, which they are trying to pass on.
Btw I have it in writing from them so will pass onto apple and get their feedback.
I don’t believe disties are allowed to charge, either.
@Simon Hardy-Bistagne we already had some Zero-touch partners asking for 1$ / device to add the devices in the Zero-touch Portal and some partners requiring a "DEP initial enrollment fee"...but never a fee to add a single device in the DEP program!
Is it me, or is Calendar sluggish as a whole in iOS 12?
*Thread Reply:* We are seeing sluggishness too. Mainly with opening meeting invites with large number of invitees (20+). We opened a support case with Apple, but they didn’t really want to know about it.
*Thread Reply:* It seems like any time I launch Calendar… there’s a 5-10 second wait until it’s responsive
*Thread Reply:* I see GAL lookup issues since iOS 12 (+ office365)
*Thread Reply:* My phone (BYOD) has a combo of calendars from iCloud, O365 and Gmail… so it’d be tough to say
*Thread Reply:* Sluggish calendar and GAL lookup issues for me too
Deutsche Telekom also charges 5€ for every device or 500€ once.
@Arjan Vermeulen has joined the channel
@Christian Bell has joined the channel
Anyone done user certificate from MDM on O365 Apps iOS? Certificate are present but not picked up/seen by for example Outlook. Anyone, what’s lacking?
@John O Andersen you’re talking CBA into Azure for modern O365 services (Exchange Online/Word/Excel/SharePoint/etc) Everything except ActiveSync. Right?
Using internal Microsoft user ca managed by Citrix xenmobile/endpoint management to the device.., O365 client not seeing CBA alternative to Azure
Okay, so when you access your O365 tenant/service, is it prompting you to select a certificate? Or are you redirected to your IdP to sign-in?
Is your CRL internet-facing? Ie. do you have the CRL published on the internet somewhere?
Suggest to read: https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started and follow the configuration and requirements from there.
Have you got your idp configured to check for the cert rather than azure?
@Simon Hardy-Bistagne right there with you. Trying to determine who in this scenario should actually be prompting for the cert (and why he’s not able to offer one up)
It sounds like AAD is the IDP, but I am not sure.
@David Arvidsson has joined the channel
Don’t know about other admins but we get a lot of questions around iOS restore behavior when working with DEP devices. There are some answers on the web with a quick search through old forums, but I’ve created a quick reference guide for iOS 12.x if anyone needs it:
@Philip Harrison (CWSI) has joined the channel
Morning, I have a question regarding first activation of an iPhone. Is a sim card not mandatory anymore in order to activate the device?
They changed that during iOS12 Beta if I remember correctly
@Morten Lauritzen has joined the channel
Great now that iOS 12.1.1. is GA what is everyone doing for the MDM profile install behavior change?
According to our sources that shouldn’t be live in the GA. I think it’s probably slated for 12.3
This is what i've been told... are you seeing that the GA includes this new "feature"
Out of curiosity, even though it is not happening now; what is set to be changed in the mdm profile install process?
Basically; you download the mdm profile, but it does not install. The user has to manually install it
And make DEP even more important for corporate devices
As far as I know it will be released in 12.3. The .3 release is typically the education and enterprise feature release for iOS
The biggest problem I saw in the beta (outside the completely new workflows) is that the device being supervised didn’t make a difference in the way the profile was treated, so this is probably gonna be a big PITA for folks not using DEP to enroll.
Thank god we got DEP in place, can imagine this messing up a lot of peoples setup
It sucks, but apple has been saying DEP is the only way for corporate devices going forward for years now. Have a number of customers who never “believed” it or found it cumbersome to do DEP.
We have DEP in 13 countries... 17 suppliers... that makes up probably 60% of our corp devices.... China... most of south america... a lot of asia.... no DEP available at all from Apple... Going to make life suck for our users unless the EMMs can automate this.
Phew thanks guys - I was running around with meetings and got the Appleseed email so I freaked out
@aaron did your teams do any testing with the new profile setup in the beta to see if there were any automation possibilities?
@Matthew Shaver we tested non-dep enrollment with the 12.1.1 betas and our process was unaffected. That is, silent installation on supervised devices did not prompt. That’s really good.
I this DEP users will be fine.
It's the new process for non DEP that will add the confusion if it can't be agent automated.
A lot of customer migrate from one EMM to another... this is a p** in the a** for the end user and for the support team...
It’s just typical from the likes of Apple and Microshaft - don’t listen to the customer
Same if you want to revoke the Azure AD refresh token - the only parameter that it accepts is ObjectID but that’s another story for another day 😭
*Thread Reply:* @Damian how do you systematically do this?
*Thread Reply:* We use AirWatch and the feature exists to revoke the token but only if your onprem UPN matches your cloud UPN. It’s not our case and we have to create a script to address this
*Thread Reply:* I’ve requested a feature enhancement since July this year
we started to collect global feedback from our customers and will get back to apple soon - see the following form on our website and feel free to participate: https://nomasis.ch/apple-petition/
(for the time being it's only in German).
we know that most customers will complain if Apple brings this change!
Seems to me Apple is proactively asking for feedback on this new MDM process for BYOD. They allowed everyone to preview this long before introduction. They have never done that before. So please do provide feedback to them. And if you don’t like this new system, feel free to recommend alternative ways to protect non-corporate users from malicious MDM enrollment while keeping it easy for corporate users.
*Thread Reply:* That is a very good point Aaron. While I initially focused on the negatives of the idea from an MDM enrollment process I didn’t think of the security aspect
We know that some large clients of even larger importance have asked them not to do this in 12 and that the answers they received were pretty much “you know it’s coming, do what you need to prepare”, so I don’t have high hopes that they’re going to listen to that feedback
So we got the blended reply... it's coming... get ready... but make sure you feedback as we really want to hear from you...
We’ve had top-to-top meetings with Apple on the BYOD enrollment process and they continue to say they’re working to meet the needs of the enterprise. This proves otherwise. If the MDM agent is used to enroll, can’t Apple make the determination that this is a trusted agent and can perform MDM enrollment?
*Thread Reply:* In terms on implementation, I don’t think it is workable for Apple to ensure if it is a trusted agent.
*Thread Reply:* All of the agents are on their App Store and go through the rigor of their vetting process. Couldn’t there be extra rigor for MDM agents? It’s really just a thought, but this separation of the profile from the process is a pain.
*Thread Reply:* More thinking out loud: Apple could move more of the invasive MDM features over to DEP/supervised (like device wipe, app polling, device-wide VPN). That would make MDM enrollment slightly more benign. But, as long as MDM can be used to trust enterprise developers, then it’s still a route for installing malware. So we’re stuck.
*Thread Reply:* Maybe it’s just that enterprise-signed apps on BYO shouldn’t be a thing?
*Thread Reply:* extreme, but I could see there being a case for “If you don’t own the device, the app has to go through the public store”
*Thread Reply:* and then non supervised/ non/DEP MDM has a much more limited scope, like MDM light; much more palatable for BYOD; maybe allows multiple enrollments, etc.
*Thread Reply:* As I wrote… https://www.brianmadden.com/opinion/Its-okay-to-say-no-to-BYOD-and-have-two-phones-for-users-or-IT
*Thread Reply:* The way for Apple to implement your suggestion would be to use a new entitlement for App Store apps. The entitlement system is already used for CarPlay apps, GPS apps, VoIP apps… This would be an entitlement that declares “I’m allowed to install an MDM profile without extra effort.”
*Thread Reply:* By using entitlements, Apple could keep a close watch on MDM apps to make sure they are legit.
*Thread Reply:* ⬆️ This. This right here. Thanks @aaron
Unfortunately can’t open the link. What does it say?
Have a look at the following link: there are some new requirements for Certificates since iOS 12.1.1: https://support.apple.com/en-us/HT205280
failing to comply will prevent TLS connection, i.e. MDM enrollment, checkins, activesync etc....
iOS BETA 12.1.2 is out and it has the same behavior we saw before with manual enrollments. If you haven’t been hands on with the workflow and your environment relies upon manual (non-DEP) enrollments, I’d recommend testing and preparing any documentation you have for updates. From everything we’ve heard, despite feedback, Apple is moving forward with the changes and they’re likely going to drop in the 12.3 release
Just for clarification, it will be live with 12.3 not 12.1.3 right?
AIrWatch told us 12.1.3
But it sounds like more of an 12.3 thing...
With that change I see an opportunity for Apple to create a “work off” button in iOS. Because the profile is here but not enabled...
Potentially... though i expect (and not yet tested) that it you disable the profile, any apps and further profiles would be removed no?
If you think about it AE-WP has the work button
iOS have the ability to offload apps when they are not used for some time... why not doing the same when you disable the profile?
I could see some really big show stoppers there if you weren't able to control this... Imagine your CEO turning work mode off over night... then monday morning in the car on his way to the office he turns it back on... Outlook can't install as it's over the limit iOS allows you to install over 4G... boom... no emails.
The offload feature is fine for consumer use... but for enterprise use it's potentially a production killer.
Agree @Simon Hardy-Bistagne. I agree, iOS needs a button to turn off work but they need to do it in a way that just pauses the app/related notifications until it’s turned back on. Removing in a style similar to the offload feature would be incredibly painful
I agree too. What I meant was that iOS is able to completely programmatically separate the binary (I.e: App functionalities) and the data set.
Apple confirmed that the offload unused apps feature doesn’t apply to managed apps
*Thread Reply:* Hm I don't think this is true, it has happened several times to me that it did offload managed apps when I was still using iOS. However this was in the iOS 11 days.
*Thread Reply:* I know because it caused some issues with my compliance: One time it offloaded Lookout which is required for our compliance 🙂
*Thread Reply:* I’m just stating what Apple officially told me 😉
*Thread Reply:* However we have seen some cases whereby WS1 was offloaded
*Thread Reply:* I opened a case but they didn’t have enough data and needed debug profiles installed to gather the necessary data - we’re obviously not going to do that for all our users...
@Mathieu Beaugrand has joined the channel
I’ve had an article about some of these BYOD deficiencies that I wrote almost 2 years ago; I published an updated version today. Maybe it can be useful for helping to spread the word: https://www.brianmadden.com/opinion/Apples-iOS-management-protocol-needs-to-get-better-for-BYOD-Heres-why-and-what-they-could-do
*Thread Reply:* Totally agree, I've been thinking roughly the same regarding work profile. Android is really innovative with Work Profile and I really miss that user experience on an iPhone. But this really clarifies the point, I'll archive it, thanks!
*Thread Reply:* Though we are seeing a big move to app-based MAM and basically to abandon the MDM concept altogether for BYOD. By the time Apple catches up this could be the main method in use, and it already works on iOS. Users tend to like this a lot, even if they miss out on the easy on/off feature of Work Profile, because they still perceive our MDM client as "spyware" in many cases.
MS just posted this update to Intune:
Updates for Application Transport Security Microsoft Intune supports Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, to ensure Intune is more secure by default, and to align with other Microsoft services such as Microsoft Office 365. In order to meet this requirement, the iOS and macOS company portals will enforce Apple's updated Application Transport Security (ATS) requirements, which also require TLS 1.2+. ATS is used to enforce stricter security on all app communications over HTTPS. This change impacts Intune customers using the iOS and macOS Company Portal apps. For more information, see the Intune support blog.
Is there a possibility to change the wifi profile on iOS in AirWatch in a way to where the user have the possibility to "forget the network" so that they can login again to that very same network after a password change?
@Julio wouldn’t the connection/auth fail, then pop-up with “Incorrect Password” and allow them to enter the new one?
Actually the phone is not showing that pop up, it is simply not connecting
Interesting. Perhaps you could create a custom profile in Configurator 2 and upload/distribute (if the Forget option is present)
Hi all, are you aware of the iOS limitation with Per-App VPN when trying to access internal resources with a .local domain?
Official statement from Apple: https://support.apple.com/en-us/HT207511
We are having this issue with one of our customer - they are using Checkpoint as their VPN. I’m unable to replicate the issue using VMware Tunnel as my VPN server (it works fine for me). So wondering if it is a limitation on how Checkpoint have designed their app and config…
We know this challenge with MobileIron and the SSO configuration, it does not work on iOS with .local domain i.e. to get a Kerberos ticket...I guess the .local domain is used for the "local" iOS name resolution.
as long as DNS traverses the tunnel you are fine;
I know ios 12 made some improvements on this specifically
Sounds like @Alex Chappuis is going to set it up and let us know 🙂
In talking to Lookout and Wandera, we’ve found that there are more people running side loaded apps on iOS than we thought. We’re assuming that many people are doing this not by jailbreaking, but by using X-code to resign apps distributed as source code. Anybody have any thoughts on this, see it in their environment, or do it on their own for fun?
@Jack Madden I do it for Provenance (Emulator app for NES/SNES/etc)
*Thread Reply:* Do you just recompile from source code in Xcode and then install it? I know a couple years back they started allowing people to sign apps for usage on their own devices without paying $99 to join the dev program
*Thread Reply:* @Jack Madden yes. You can still sign them, but the signing expires after 5 or 7 days.
*Thread Reply:* Ah okay. My colleague has been playing with this, so we’ll see when it expires
*Thread Reply:* He just saw that Cydia Impactor makes the resigning/installation process ridiculously easy.
*Thread Reply:* Plus, we found a site installing apps via enterprise certs in about 2 seconds of googling.
*Thread Reply:* Yeah! That Impactor tool is pretty awesome. I always heard “signing as a service” was very much available. Apparently it still is!
Yeah, it does cost $99 but it’s worth it to stay involved and be able to sign/distribute when needed
I assume lots of people with $99 developer certs share these types of apps with their friends, too
Here are the numbers, BTW: https://www.brianmadden.com/opinion/How-bad-are-mobile-security-threats-Our-look-at-the-numbers-starts-with-Google-and-Lookout
@Woody we tried multiple times SSO + Tunnel + .local Domain, also with iOS 12...and it never worked. as soon as we are using another DNS suffix (e.g. com, int etc.) it's OK.
@Jack Madden We have a few thousand devices under lookout, and only see our internal certs on them. I dont see anyone having generated their own for this kind of use case. But... I can certainly see it being a possibility.
The downside though is that lookout still can't whitelist an app based on a known cert... they are separate controls.
*Thread Reply:* Interesting.. Thanks!
is there a good airplay recording software where you can blur certain keyboard inputs?
*Thread Reply:* I normally record in QuickTime and blur in post production when capturing iOS.
Are you looking for live capability?
Maybe something like OBS would be a good option. Switching to a scene which has that section blurred.
*Thread Reply:* I don’t know of anything that can blur on the fly. I do all mine post in SnagIt and Camtasia.
*Thread Reply:* I just cut those out and add a cross-fade in hitfilm express or imovie
*Thread Reply:* I record in QuickTime and cut it in CuteCut for Mac. Why CuteCut? I use CuteCut on iOS too...
*Thread Reply:* Thanks for the great input!
Does anyone know if In-App purchases can be done through VPP? (MobileIron) - found this: https://verschoren.com/2018/02/vpp-in-app-purchase/ Not sure if this is still accurate.
Apple offers no way to manage in-app purchases at all. (Except disabling them on supervised devices.)
So here’s an interesting one… in Settings > Sounds and Haptics, under Ringer and Alerts, there’s the “change with buttons” setting. At some point last year, this setting got turned off on my phone. I didn’t even know it existed, and then I spent a while occasionally wondering why I couldn’t change my alarm volume, until I finally googled the issue. I just talked my coworker through fixing it, too. Has this caught anybody else? I think the setting may have gotten flipped when I got my new phone, but I’m not sure. Was this an iOS 12 thing?
I just had a look and I'll admit I hadn't actually noticed before!
Same here although mine was disabled as well! I normally have my phone on silent so didn’t bother me much
This option has been available for a while. I remember switching it off when I was using my iPhone 5 or there about!!
@Marc van der Kooy has joined the channel
@Martijn Schraven has joined the channel
Office is finally in the Mac App Store. Good news, but all I could think was “could we finally get support for App Config in the mobile clients, please?!?!” https://www.apple.com/newsroom/2019/01/the-mac-app-store-welcomes-office-365/
*Thread Reply:* @Tycho good news!
*Thread Reply:* Indeed!! And they have done the purchasing via in-app so technically it should play fine with O365 subscriptions on VPP. Will give it a try tomorrow. If it doesn't interfere with my existing installation I might just assign it to everyone.
This will make DEP much more feasible too due to not having to include this anymore, it's by far the biggest package.
*Thread Reply:* Amen, @Jack Madden! Baby steps is MSFT’s MO these days
*Thread Reply:* After installation I get like 10 of these in a row... That's not so nice (yes I clicked always allow every time) - had to enter the same password every time too.
That's something I'll have to see about before pushing this to the users with existing installations. Somehow it doesn't gracefully take over the old local installation's rights.
*Thread Reply:* Ok so Microsoft's Mac expert is live in macadmins in the office channel. So the issue is that the old apps are signed with MS's key and the new ones with Apple's let so they don't get the access. But he's provided a tool to delete the items from the keychain. Will check tomorrow. Just wanted to mention here in case one of you run into this too.
Of course the user can't be opening any O365 apps during app store installation so it'll have to be a scripted migration that enforces the right order of things. Will think about it.
*Thread Reply:* FAQ goodies: https://docs.microsoft.com/en-ie/deployoffice/mac/deploy-mac-app-store
iOS 12.2 will introduce the new iOS MDM Enrollment workflow. Source: Mobileiron
*Thread Reply:* This? https://emm.how/t/ios-12-1-3-beta-4-changes-to-mdm-enrolment-workflow/917
*Thread Reply:* From Apple: In order to to improve platform security by reducing misleading profile installations, iOS 12.2 beta includes a new workflow for manually installing configuration profiles. Apple plans to test this workflow in iOS 12.2 beta and include it in iOS 12.2 GM.
*Thread Reply:* Should be noted there is a MAJOR change from previous beta testing. In the past few versions, if the profile was not installed within 24 hours, it would automatically be deleted. They have now lowered that time to 8 minutes
*Thread Reply:* I think the 8 minutes thing is to guarantee that the MDM will not reject the device when it will connect...
MobileIron Core iReg with QR code - what exactly does this mean: “Mobile@Work or MobileIron Go must be open before 4h from registration”.. Mobile@Work needs to be opened once 4hours before the enrollment or is there a 4hour window for the enrollment? https://community.mobileiron.com/docs/DOC-8291
*Thread Reply:* Otherwise the app will not be activated and the client will be installed but not synchronised
*Thread Reply:* On Core it’s possible to change the value
*Thread Reply:* As far as I know Cloud is set to 24hours
This was on TechMeme today; I never heard of them before now but does anybody have any experience with them (or heard of them?) https://venturebeat.com/2019/01/28/mosyle-raises-16-million-to-streamline-apple-device-management/
*Thread Reply:* Venture Beat continues it’s uneven journalistic endeavors by writing about them like MDM is something brand new that nobody has ever seen before. I haven’t come across these cats yet, but it seems like they’re trying to position themselves as a cost effective competitor to JAMF
*Thread Reply:* Reminds me of the 2011-2012 era when we’d average one MDM product launch/MDM startup/MDM acquisition per week
Apologies if this came up already, but did anybody see the recent iPod Touch rumors? Long live 4" devices (I suppose) https://www.macrumors.com/2019/01/25/new-ipad-models-7th-gen-ipod-touch-ios-12-2/
*Thread Reply:* It’s been the perennial topic of conversation on podcasts with @aaron and @Russell Mohr
But I don’t get why they would want to release a new iPod though?
To give continuity for embedded devices makes sense (barcode scanners/CC reader sleds used in healthcare, retail, etc.) though I wonder if Apple is really keeping a product alive just for the enterprise, or if they see much of a market for it anywhere else?
*Thread Reply:* In the Capitol Region of Denmark they have about 4.000 iPods in use for the healthcare system used with Honeywell scanners.
All the charts I’ve seen don’t (or can’t) even track sales. I feel like there is some old guy who has been at Apple since the late 90s who is basically untouchable that keeps them alive for nostalgic purposes
Can’t wait for the 20th anniversary iPod!
The iPod Touch is a really nice way for developers to get a cheap iOS device. It was the reason I had one for a while. Not sure if this is really enough to keep it on the lineup as a model but I sure was happy to have it. I'd say there's more edge cases like that.
*Thread Reply:* Yep... and holy f**k balls...
This is a massive one... Apple have disabled the group FaceTime servers which "should" stem this from being exploited, however I'm seeing reports that this exploit still works.
I'm disabling FaceTime on our top exec iOS devices until a patch is made available,.
*Thread Reply:* Apple have disabled Group FaceTime. Good timing, I was about to send a mass communication to users :-) https://www.apple.com/support/systemstatus/
*Thread Reply:* TBH I would still send out comms around the issue. It's going to be in the news today, and users (and top execs) will have questions, so it's better to get head of it. Not necessarily via email, but Yammer post or blog post on your internal sites.
What worries me more here, isn't the exploit its self, but the fact that built into the code of iOS is the ability to remotely enable your microsoft and camera.
This is something that should be security coded into the OS that can not happen without a user giving approval every time.
This negates many of the arguments that Apple has around security.
*Thread Reply:* Interesting sidenote, FaceTime is one of the restrictions that’s getting deprecated to Supervised-only
@Martijn Rijerse has joined the channel
https://www.theverge.com/platform/amp/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
Nice to see Apple following through on their stance about enterprise signing and distribution of apps.
Kind of funny that one of their targets ended up being Facebook
Wow... Nice!
Resign, redeploy... I wonder what emm they use... Though saying that... If theyre just signing for users to go download that's funny suck!
I wonder if they have a more than one enterprise developer subscription...
I would be shocked if they didn't.
At lease one for internal apps and one for external customer apps
And even then, multiple certificate per account... I wonder if Apple canned the entire Dev account or just a single cert
I agree that Facebook deserved it. Grabs popcorn
Reminds me of back when we all talked about wrapping public apps with MAM and resigning them, and wondered if Apple would ever get mad at a company and revoke their cert
I know a company that got their enterprise developer account revoked ( entire account) by Apple. They offered a beta of their apps on their website
Also, my sympathy to the admins at FB that have to deal with this
Google’s also peddling a data collector through Apple’s back door – TechCrunch https://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/ Let’s see if they do the same to Google...
I’m looking for more details on how the TOS defines “employees” and “organization” - any thoughts?
Ah… they’re here but not public, it seems: https://developer.apple.com/terms/
I’m sure a lot of companies are now going to audit their usage of the program, at least for piece of mind
This is the only way to make apps that (a) is relatively easy to distribute and (b) doesn’t get reviewed by Apple. Originally, the Apple Ts & Cs limited distribution to employees only. Over the last years they added provisions for contractors and customers — when on premises. That’s actually opened up valid use considerably.
Does device ownership matter? What if a customer that’s using it, but the company owns the device?
Really the only valid option for apps to individuals is to publish through the App Store. Makes you wonder why these companies don’t do that with their apps. Oh right — it’s because the apps spy on user behavior.
Yeah… there’s market research, and then there’s asking a user to install a profile with a root cert… Makes me curious what popular apps out there are and aren’t using pinning
Meh... I’ll argue that half of our internal apps contain either company sensitive data, or at least data that we wouldn’t want in the public domain.
Internal distribution is the best option in those cases.
Ownership shouldn’t matter, especially as enterprise leasing is now getting popular in many countries so you never actually own the device. Apple even provide this too.
@Jack Madden I think it reminds me a question you asked a while ago about how many devices out there have 3rd pet app signing certs on their devices.
I think we’re going to take another pass at our reports this week and do a quick audit as I think this type or mechanism is a lot more widespread than we think.
I guess one question is: Can the app can be structured in such a way that the sensitive data is not in the app itself, and instead entirely contained in content that gets downloaded later (documents, customer records)? Or are the actual coded-in features of the app considered sensitive, and there’s no way to construct the app otherwise?
*Thread Reply:* There are a few twitter accounts or websites which you can follow to receive a notification when a new version is released. i prefer https://twitter.com/iOSReleases
How do you guys go about testing the new iOS in regards of the facetime bug?
We can't test this - the group calls have been disabled by Apple for older iOS versions
So you can't really test the actual exploit because it no longer works
Apple did this as a preliminary mitigation of the bug, in advance of the updated firmware availability
Yeah, so we’ll have to trust it, since there is noe proper way of testing. Just asking because our security team asked, if we could test this
Well you can test with one device, right? Upgrade to 12.1.4 and test it…
But you can't compare the "working exploit" situation before 12.1.4 with the fixed situation, that's what I mean
So, a couple of interesting things here: https://techcrunch.com/2019/02/12/apple-porn-gambling-apps/
(BTW, it includes some pixelated screenshots of apps, so may be NSFW)
I wonder if Apple might just throw up their hands and restrict enterprise-signed apps to enrolled devices
*Thread Reply:* Hmmmm....
So that's not a crazy idea. Integrate Enterprise apps with the appstore (much like google) would resolve some of the distribution issues.
Interesting they focus so hard onntheporn aspect. As far as I know, making "porn" apps for internal Enterprise use doesn't specifically break and t's&C's, the distribution outside the enterprises certainly is though.
(Also, I want to point out that my colleague wrote an article about this in the beginning of January. We should have just put “porn” in the title to get more attention)
But seriously, it only took about 30 seconds of googling (back in January) to find enterprise-signed apps to side load
I agree that moving to enrolled devices only would be a good intermediate. Deploy apps only using the B2B VPP store, not sure how that would affect developing etc though.
I think the system doesn’t fit to an MDM world, neither to MAM... updating a certificate every year is a pain in the ** for many admins who don’t control the signing process or simply forget to resign apps.
Customers platforms with more than 20 apps require at least one app signing per month because development cycles are not aligned.
Admins have better to do than signing apps every day....!
I stopped counting the number of times customers told me that they failed to renew line of business app signature
Build automation and application lifecycle management helps. But I agree. A longer expiry would help for internal app provisioning profiles to align to the distribution cert.
We're at the stage how of having around 120 internal apps using the same cert. Once you come to expiry you can basically resign all at the same time with a new cert via both Airwatch and intune, so we only have to hit new apps individually.
Makes life simpler
*Thread Reply:* But if there was a compromise then all your apps are impacted isn't it? Speaking from security perspective.
*Thread Reply:* I don't see any real risks.
All the cert does is allow an app you've created, run on an iOS device outside of the AppStore. If a 3rd party got the cert, then the most they can do is sign their own apps with it until it expires in under 12 months. And that won't impact my security. Potentially if Apple got wind they might can the cert but it's a very unlikely situation. It's no more risky that a company deploying the Root CA cert ot all their desktop devices. It's BAU.
Access to corporate dats on own own internal apps isn't covered by an app signature.
If anything, when I'm signing apps with a single (or small amount) of internal signing cert, i am more confident that the apps on my users devices are genuine. At the moment, I can set my MTD to flag apps which are signed by a 3rd party as a risk, apart from those apps which are carrying my cert. If i had to do that for 150 different certs, all expiring throughout the year i'd have to employ a persona to just carry out the task up updating the MTD policy.
Also, when it comes round to renewals, it's a single, simply push for all my enterprise apps to ensure they keep running. If i had to resign each individually, and redeploy then my life would be hell.
*Thread Reply:* The enterprise developer account for internal apps only allows 2 distribution certificates to be in use. So you don’t really have a choice. But I agree with Simon that a single cert or two on rotation with a single team responsible for it, is a much simpler and more manageable approach.
@Martin Hillerö has joined the channel
https://www.gottabemobile.com/ios-12-problems-5-things-you-need-to-know/
Tbh, I pay little credence to Forbes’s reporting of apple bugs.
They always seem to sensationalise a lot of them, even if they are based on only a handful of reports.
I’m certainly recommending the upgrade to 12.1.4
Easy for Forbes: with every new iOS release they whip out the same article. Search and replace iOS versions and done....
https://blogs.vmware.com/euc/2019/02/ios-devices-mdm.html
*Thread Reply:* They've done something similar on Mac already, yes..
I would really have preferred if they just put up a big warning screen with the implications instead. Getting the users to hunt around in the settings menu is not great IMO, and it doesn't really address the issue (possibly granting malicious actors access) as well as a good system dialog with a clear warning of what they are about to agree to.
But it's Apple so we'll just have to make do with what they decide.
*Thread Reply:* Our users are going to love this...it’s not as if the enrollment procedure isn’t long winded enough in its current form 🙄
*Thread Reply:* Do you know which iOS GA will include this?
*Thread Reply:* It’s not mentioned in the article
*Thread Reply:* It’s already in beta - I’ve confirmed and bloody annoying
*Thread Reply:* Will probably be included in the next minor update or so
*Thread Reply:* Yeah but that doesn’t help us prepare 😊 we need to update all our enrollment guides...
*Thread Reply:* This article should include a visual of Android Enterprise (Work Profile) enrollment as an alternative 😬
@Mathieu Bernier has joined the channel
@Jorn Erik Hornseth has joined the channel
@Marc Brandenburg has joined the channel
@Kjell Eilertsen has joined the channel
Just wanted to share a nice tool for automated build and deployment of In-house Apps: https://ebf.de/en/solutions/incapptic-connect/ https://www.incapptic.com/
@Johannes Harbs has joined the channel
@Adrian Patrascu has joined the channel
Does anybody have a solution for BYOD on iOS with Workspace One, that would physically separate work and private data? I know the apps are sandboxed and so on, but management keeps asking for a solution similar to workprofile on Android🙄
You also have adaptive management with WS1 - look it up
And...in this BYOD scenario you can sign in to WS1 by federating it with your IdP so no messy passwords etc
But outlook mobile is just a managed app in the same user space with a PIN on the front of it. How is that comparable? 😛
Yeah, it is nothing that would separate stuff into Workspace and Private space
iOS is way behind in BYOD - just ask @Jack Madden he’s blogged this to death 😆
I thought about making use of all the WS1 apps, like Boxer and inbox just to give them “a more secure feeling” but that’s also not it
Your best bet is to rely on MAM and maybe install a MTD solution such as Lookout - all depends on how strict your security team is...
Boxer requires the MDM agent last time I heard
So when you stick an agent on the device it’s not really BYOD 😉
Are you looking for collaboration with the MSFT suite?
Right now our BYOD is what you mentioned, with the agent
Anyone using certificate based authentication towards AFDS, on iOS?
We're also at about 75% - we want to get towards 50/50 though
But with an agent it's not really BYOD? Not sure if I really agree there 🙂 Android Work Profile also requires an agent to manage it.
But I agree Work Profile is a really nice solution for balancing work/private life and I really miss this separation on iOS
No we give the users the option. MDM for full functionality with office WiFi access, VPN, many apps etc. Or MAM with just outlook and nothing else. I don't think MDM is a bad option for BYOD at all as long as you make clear what you manage and what you don't. Most MDMs have clarified that a lot lately (WS1 with its privacy webclip, intune has clear screens during enrolment) PS: Outlook MAM does actually require the authenticator and Intune company portal installed 🙂 But it doesn't need to be enrolled
AFE has its own agent within the encrypted workspace and so is completely separate from the personal space. Therefore an admin only controls that part. It’s not the same as iOS. Even if you limit what can be done via the agent it still doesn’t stop an admin with a grudge changing the settings and for example wiping the entire device! I can tell you from experience that our USA office won’t even entertain an agent on a personal device.
*Thread Reply:* That first part (the admin only controls the work profile) is not strictly the case, even in standard work profile modes (not COPE or COBO) you can control several things at the device level. For example we block sideloading even on the 'main' side of the phone through the agent, and we load WiFi profiles with certificates. We also install lookout that scans a lot on the phone and the surrounding networks.
But yes, the phone personal data is much better protected from the agent on a work profile. I also really like the way you can just switch off the work side. Apple has a lot of catching up to do there.
*Thread Reply:* True, from an Android perspective we do enforce encryption of the device and a device password but in regards to splitting work from personal its night and day...
*Thread Reply:* Oh yeah true, I forgot those but we do them as well 🙂
*Thread Reply:* Not completely true. An admin can set the permissions of the MDM profile and for instance prevent full wipe of the device. Possible with MobileIron Core but not Airwatch I think
*Thread Reply:* In that case, user see during installation of the MDM profile a statement accordingly to the permissions
*Thread Reply:* Not sure what you mean by preventing full wipe via the MDM profile via admin... isn’t it the same as restricting the option to wipe the device in the AW role permissions of the admin accounts?
*Thread Reply:* Nope. An MDM profile can have a set of permissions that are set inside the payload which prevent the MDM to take the action even if the UI allows this.
*Thread Reply:* See page 16 https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf#page16
*Thread Reply:* So you can do this in Mobileiron but not AirWatch ?
But every company has its own policies and use cases
We recently asked VMware to create a new feature for us that requests multiple PIN validations for any admin modification of privacy settings or higher function admin mods like device wipe. No news as of yet...
At least that goes some way in reassuring our compliance/security teams
> So when you stick an agent on the device it’s not really BYOD 😉
What sort of nonsense is that? 😛 you bring a personal device into a corporate setting, that's BYOD, not whether or not there's an agent defining how corp data is accessed.
Agree with everything else though..
*Thread Reply:* Figure of speech, not nonsense 😝
I’m not trying to define BYOD as to whether or not the device has an agent. An agent on an iOS device in the traditional sense is MDM which allows an admin to do what they like if they have the rights...MAM on the other hand is an acceptable scenario for BYOD as long it covers jailbreak, minimum OS version etc...device passcode enforcement however requires MDM. Again, not easy to define a true BYOD policy for iOS.
@Jason Bayton if you really think about it, the presence of an agent freaks people out. You can list everything that an admin can do and the privacy settings (data collected etc) but you can’t really take away the fact that an agent on the device (talking about iOS here) means that anything is possible. I’m not comfortable with that but other people don’t give a damn...and that’s also cool 😊
Oh yeah, iOS BYOD is defined by policy rather than.. device, but I don't think that changes the definition of BYOD
*Thread Reply:* Not easy to define BYOD on iOS mate 😉
Maybe not everyone is clear what is meant by “agent” on iOS. Sure, there may be an app that accompanies the MDM, like Hub for AirWatch. But that’s just a sandboxed iOS app like every other sandboxed iOS app on your device. It has no special access to the OS just because it comes from an MDM. The app can’t wipe your device, can’t send data to your MDM, and doesn’t do anything when it is in the background.
The real MDM agent is an Apple process named mdmd which is present on EVERY iOS device, whether it is enrolled in MDM or not.
You can manage device just fine with MDM even if their apps are not installed.
Maybe some of you knew this already — if so apologies — but it’s not always well understood.
@aaron it’s always good to delve into the details! Correct me if I’m wrong but all the agent apps do is ask for permission to access the APIs right?
An XML file which contains the config profile
*Thread Reply:* Everything is done with Apple's MDM Protocol...there's no need for an agent. : )
https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf
Most of them do it via the web. No need to have the app at all depending on the scenario
I think Apple even asks EMMs to move away from any sort of app based enrollment requirements
But what I saw is that most EMM can only do so much, if you don‘t have an app installed
Not totally true depending on what you are trying to accomplish (and who the EMM is, I suppose): Without app: All configs (wifi/vpn/mail in apple client) Device restrictions App distribution/management Device customization (home screen, wallpaper, etc) Actions - wipe, reset passcode, mark as lost
With app (capabilities that most EMMs provide, there may be others not here): Locations services (can be disabled by user) EMM specific mail client/doc container Messaging (in the agent - not iMessage) Add ons - browser, document editors, VPN and some sort of gateway agent maybe
Even though not very important anymore; the MDM client can do jailbreak detection and some device-local conditional access / compliance enforcement also.
Why shouldn’t it be important? Also compliance enforcement is an important thing🤔
I do not think Jailbreaking is really a thing anymore, except for a select few. Rooting seems to be a lot more common. Device local conditional access / compliance enforcement is important, but it seems limited (probably due to the fact that the MDM client is not really an admin on the device)
Jail breaking allows a user to download any app (Cydia, SSH etc) without being checked by Apple. A lot of those apps have been repackaged which means people can add dodgy stuff...therefore those apps may have control to features you may not want them to have control to...IMO jailbreak detection is still very important.
A lot of people use profiles to add non official “App Stores” to their device and download apps that have been altered by god knows who
No need to jailbreak to access non official app store 😉
The classical way of jailbreaking is not there anymore, I agree, but people have already found multiple different ways to go about this
@Antonio Maiello has joined the channel
Is there a way to open company links received via Email+ only with MobileIron Web@Work (and prohibit Safari for these links) and allow non-company links with Safari? I doubt there is such a way. Of course internal website which are only available for Web@Work can‘t be access with Safari without the use of Tunnel anyway
*Thread Reply:* Only if you can rewrite them in the form of: mibrowser://<intranet_link>
*Thread Reply:* Ok got it. Like rewriting intranet link with Exchange, not sure if that is possible
*Thread Reply:* Pass, beyond my level of knowledge, I’m afraid. Is Safari + Tunnel not suitable for your needs?
*Thread Reply:* Tunnel is Platinum 😜 we only have Gold!
*Thread Reply:* Ok, so it’s not a valid security risk reason why you’re not upgrading, just that you’re being tight-fisted? 😉
*Thread Reply:* Joking aside, Tunnel is a tremendously powerful and user-friendly feature that accelerates adoption, use and satisfaction for many organisations - though I can’t make the value vs price decision for your company, of course.
*Thread Reply:* You can use the KVP’s: allowsafaribrowser = false, emailurlschemehttp=mibrowser and emailurlschemehttps=mibrowser
*Thread Reply:* @Almar Diehl 👍:skintone2: great, thank you. That would mean links received via Email+ would only open with Web@Work, sounds good. Non-Company links received via Email+ would then also be opened with W@W, so I think there is no way to differentiate by domain name. @Jason yes I agree with you, Tunnel is great but not in the budget right now.
Congrats @Adrian Patrascu well composed and easily understandable blog. Will it impact only the initial enrollment of BYOD devices in EMM? or Corporate owned devices will also get impacted?
*Thread Reply:* Thank you Yasar. Glad to be of help!
*Thread Reply:* Corporate owned enrolled with DEP is not affected @Yasar
@Mathieu Maillet has joined the channel
@Adrien Blaise has joined the channel
@Markus Güntner has joined the channel
Interesting Use Case - iCloud Photo stream is allowed for personal use for one customer. Looking for sort of business context camera and gallery application for integration with MobileIron, so private and business data can be separated and the business photos will not end up in the iCloud Photo Stream. Any pointers for a good app that could be used for that?
*Thread Reply:* Devils advocate if I may - what would be the point? There would still be nothing stopping the user from taking the photo and saving it to their personal stream. Doesn’t MI provide a containerized documentation app that could be used for securely storing anything business related?
*Thread Reply:* Agreed, but same goes for Android Enterprise then, where you can also have two camera apps. In the end it is up to the user, but they need to sign a waiver for that. Yes, Docs@Work but you can‘t take pictures with Docs@Work though.
*Thread Reply:* I can definitely recommend some camera apps to unify the experience in AE work profile, but nothing on iOS - though a Box For EMM account would probably do the trick if there is the budget for it. We use it internally and between that and Slack, I barely touch my email for internal communications anymore 😂
*Thread Reply:* You Can use Captor https://marketplace.mobileiron.com/listing/captor%20for%20mobileiron
@Nafes Choudhry has joined the channel
Are any of you using anything to sync a large contact list across iOS devices? I need it to be able to be used in the phone for caller ID etc. Don't want to to do it across mailboxes using active sync.
Try a cardav server. We have clients that use like an open source version to push down contacts in bulk via MDM
@Bartosz Leoszewski has joined the channel
@Sharkey the CRM app used by the company, it’s the CRM job to manage a large contact list for the company
If somebody forgot his iphone password and the device is not connecting to wifi or mobile data anymore, is there a way of resetting the passcode other than factory resetting the phone using “Restore”?
No, not really. You can insert a pincode-less SIM card and see if it connects to the mobile network
Use Ethernet to connect the device to a network?
@Julio had the same issue with one of our customers about a month ago. they did the trick with the pincode-less simcard. the 3g/4g connection is made upon the pincode screen when the sim has no pincode. when the sim has a pincode, the phone must be unlocked before the simcard makes it's connection
I think on some iOS versions, this did not work however. With the latest versions of iOS, it does seem to work properly again.
Same experience here. Also, there was a time that the sim-pincode was asked in an pop-up on the passcode screen but that was a long time ago
As for Ethernet: you can buy (yet another) dongle to supplement your life in Apple’s bubble: https://9to5mac.com/2017/03/01/ios-10-2-ethernet-adapter-ui-settings-app/
@Mark Vonk I also made the experience with previoous versions, that sometimes it worked and sometimes it didn’t
Ethernet one saved a customer that played with WiFi Whitelisting 😄
120 devices impacted => Amazon.com > Bought dongle 😄
Via 9to5mac, Apple has added Federated Identity with Azure AD to Apple School Manager. This is for SCHOOL manager, not BUSINESS manager, for now; and only for Managed Apple IDs, which are not at all common in business. But good to see Apple embracing SAML for their own web services — very open!
https://help.apple.com/schoolmanager/#/apdb19317543
Possibly a beginning to managed business apple ID's
@Konstantinos Leivadaros has joined the channel
Wow, great news. (First thing I did was check out ABM to see if it had changed, too…)
I wonder if they’re really limiting it to just AAD for now, or if you could get another SAML IdP to work
Looking at the info.. surely any IDP would work as its just SAML?
Is it using federation just for access to the ABM portal or for device enrollments, etc?
It uses SAML for Managed Apple IDs, automatically creating new Apple IDs if needed.
Access to the ASM portal an device enrollment is still user/password.
@Woody Apple is using SAML but they aren’t opening it up to other IdPs it seems
*Thread Reply:* Yes..you need to manually install the profile by going into settings. I just checked on my ios device with intune
(could check obviously, but did not have the time yet)
iOS 12.3 beta is out: https://www.macrumors.com/2019/03/27/apple-seeds-ios-12-3-beta-to-developers/ Appleseed has been updated
Part of the iOS 12.3 beta is a feedback survey about the manual MDM enrollment changes (profile workflows). I'd recommend telling a friend to tell a friend to take it. I doubt Apple will do anything, but I've heard nothing but negative feedback and it may be useful for Apple to hear it as well, if only to prevent further changes like this in the future.
If you install the beta, login to the Apple Feedback app and look for the "January 2019 - Profile Experience Test Plan" survey
*Thread Reply:* The infinite problem with apple is that they act and after only they think that maybe they impacted businesses...
What is the best way to gather ActiveSync logs from the native mail app without macOS?
if you have a developer account, you can get a syslog profile from Apple which will include logging for native mail. A lot of it is privatize though, but should help depending on what you're doing.
https://developer.apple.com/bug-reporting/profiles-and-logs/
then you can generate the syslogs from the device as a zip file and then simply move it around using iTunes
Ok thanks. Is there a better way with macOS?
you could use ACU2 console logs to gather what you need, but a lot of the debugging there has been moved to syslogs
so you might not get what you need like you can with syslogs. If you have macOS, you could easily airdrop the zipped syslogs once generated from your iDevice to your macOS
Is there a difference between the iOS device level logs pulled from Xcode vs. AC2 vs. Console? My understanding was “no” that it’s the same, and that advanced logging is all via the sysdiagnose profile
Thanks for verifying. I think this dev is just being picky for no reason
Which is the best product to manage Mac devices?
*Thread Reply:* I would say, depending on your needs 😉 Some will say Jamf, other will say UEM vendor such as Vmware or MI... but again, it really depends
*Thread Reply:* Had a look at Fleetsmith? (https://www.fleetsmith.com/)
*Thread Reply:* Here’s “best” for Uber: https://mobilxperts.slack.com/archives/C1U1G6PGR/p1554395025040900
*Thread Reply:* Uber is a MobileIron (Cloud) customer :-)
*Thread Reply:* Thank you for the suggestions. Will study all of them considering my needs.
When we receive a telephone number with the native mail app or a container PIM client, is it somehow possible to open the phone number with a different calling app and not with the native caller? Calling via Cisco Jabber - The use case is phone numbers which have been received via mail should be called via Cisco Jabber with one tap on the number. I doubt that this is possible regardless of the MDM solution
*Thread Reply:* CommunicationServiceRules
Optional. The communication service handler rules for this account. The CommunicationServiceRules dictionary currently contains only a DefaultServiceHandlers key; its value is a dictionary which contains an AudioCall key whose value is a string containing the bundle identifier for the default application that handles audio calls made to contacts from this account.
*Thread Reply:* It is in the exchange payload
*Thread Reply:* Thanks @NicolasR, totally missed that one! 🙈👍:skintone2:
Did someone know where I can finde url schema definitions for the iOS version of the kaizala messenger ?
Anyone know where the ‘never’ option in auto-lock has gone? It used to be there in previous versions ...
*Thread Reply:* Thought that the option was only removed when an Echange mail was configured.
*Thread Reply:* Nope, can’t find it on all of my iOS devices - seems they removed it
*Thread Reply:* Sucks if I need to test an app that needs to be kept in the foreground
*Thread Reply:* Typical of Apple - I’m going to open a case
*Thread Reply:* I still have that option "Never" in "Automatic lock".
*Thread Reply:* Ok I’ll double check we haven’t set a restriction for this
*Thread Reply:* Settings > Display & Brightness > Auto-Lock > Never
*Thread Reply:* Yeah I don’t see that option
*Thread Reply:* Then there must be something configured or installed(policies/restrictions) that blocks that option
*Thread Reply:* Yep that’s my thinking - checking now
*Thread Reply:* Probably a reason for it security wise
*Thread Reply:* Yep iOS passcode profile set to 5 mins 🤦♂️
iOS 12.3 beta 2 is out. Appleseed has not been updated yet
Hey all — we are looking for someone to do some contract work to rebuild one of our iOS apps. I’d love a recommendation or intro from anyone in this group.
*Thread Reply:* It’s a pretty simple app, and we are looking to add some BLE (Bluetooth Low Energy) and proximity features. Experience with those systems would be ideal. But in general a solid developer would be great, for approx 1 month part time.
*Thread Reply:* @aaron I’ve got a guy. @jj Need to see if he’s got any availability
Hey everybody, anyone using Cisco Jabber with SSO? I was wondering if this is supported by the application similar like OAuth with Native mail app.
*Thread Reply:* what do you mean by similar to native mail app?
*Thread Reply:* With the Modern Authentication option within the Exchange config where you can authenticate against an idP (OAuth). Not sure if this can also be done with Jabber on iOS
*Thread Reply:* you can use federation and any SAML based SSO with Jabber so yes you can auth agains other IDP
Hi, maybe it suits better here; I’m having issues with iOS devices that are enrolling into my Workspace One environment. The devices are enrolling but not picking up compliance policies, profiles and assigned apps. When U check under Troubleshooting and Command, I see this;
*Thread Reply:* We had an issue with one of our customers, where smartgroups were not applied to newly registered devices. The issue was solved by an update of the system.
Manual workaround that worked for us was to open the smart group and save it again (no changes needed). This applied the smart group to all currently enrolled devices.
*Thread Reply:* You opened each smart group and just saved it again?
*Thread Reply:* Yes. Solved the issue temporarily until we implemented the upgrade.
*Thread Reply:* Is that then a system error, so a ticket with VMware should be openend? We are on SaaS, so it’s a bit difficult to update by ourselves, especially since we just received the last update yesterday or so.
*Thread Reply:* It was a system error on our system (on-prem), so I would suggest to open a ticket with VMware.
*Thread Reply:* usually on-prem this is a hanging Smart Group Service or maybe even crashed
*Thread Reply:* Read it in the documentation, but since we are SaaS I assume there is nothing we can do except from opening a ticket right?
I figured out, that the devices affected by this are in the right OU but do not get assigned to the right smart groups
Hm still, if the assignment was incorrect it wouldn't even queue the request normally
@Jordan Philip has joined the channel
@Jacques Aing has joined the channel
how can i trigger an OS lookup and update on ios devices that don’t have the hub application installed? i have a bunch of devices, that are already updated but in the system you see the last scan for profiles, apps and stuff is from a month ago, even though device last seen is from today.
*Thread Reply:* Do you have access to the device? Maybe it’s on but locked. In which case it would not report much information since its locked. It would respond but iOS limits information when locked.
*Thread Reply:* I currently don’t have a device that I could check immediately, but data samples that are over a month old because of the device being locked every now and then?🤔
*Thread Reply:* check in intervals are scheduled by your server, if the scheduled check in happens when locked, then yes it would not give much info. I have people that plug the device in, drop it in a drawer and never pull it out. It checks in, but never gives much info beyond that.
is there a way to see a more verbose list of changes in iOS 12.2? We can no longer "Remove" an Exchange Mailbox under "Passwords & Accounts"
*Thread Reply:* Does this help? https://support.apple.com/en-us/HT209084#122
*Thread Reply:* Is removal allowed in the profile it is configured with or is it manually configured?
*Thread Reply:* @Konstantinos Leivadaros this is great info https://support.apple.com/en-ca/HT209599
*Thread Reply:* but I don't see any changes that would account for what we are seeing
*Thread Reply:* I found a device on 12.1.4 and its missing "Remove" as well, so maybe not a new issue?
*Thread Reply:* I don't know if the "remove" option is available for mailboxes provisioned by MDM / EMM.
*Thread Reply:* You are actually adding and removing a profile which configures the email account so the question really is if you have allowed the removal of the profile configuring the email account. You can find this in the “General” tab of the profile
*Thread Reply:* ...And usually MDM profile removal requires removing them all, I've not seen iOS to allow a piecemeal removal of profiles.
*Thread Reply:* Send a picture of the “General” tab of your email profile
*Thread Reply:* Sorry, I am not in front of an AW console so trying to remember by heart
*Thread Reply:* @Andrew Olpin we have a separate device profile just for exchange so we can remove just it or update restrictions without impacting a users mailbox
*Thread Reply:* WS1 best practices was always to use separate profiles for each functionality so Exchange profile really is best on its own
*Thread Reply:* @Lukasz is right. Never combine payloads unless absolutely necessary (i.e. Wi-Fi & Credentials).
*Thread Reply:* @David F it is not possible (and never was) to remove an exchange account on the device with the "Delete Account" option, if it was pushed through an MDM. The option is only shown for manually added accounts.
In case anyone has any idea or has seen this behaviour: https://mobilxperts.slack.com/archives/C7MF5T6KH/p1555343907002600 🤔
*Thread Reply:* Ran the scenario on a device and couldn’t reproduce - is this happening across iOS versions?
*Thread Reply:* Most of our users are on iOS 12. It happened to me and a few of my colleagues. MSFT told me the issue needs to happen live in order to find the root cause
*Thread Reply:* Chinese government is watching you 😂
*Thread Reply:* That’s not going to be easy unless they put debug logging on the servers in the cloud and on all the clients which I highly doubt
*Thread Reply:* By the way it happened to me with Thai characters with O365+native macOS client
*Thread Reply:* Never complained because my company didn’t support officially macOS native client :-D
*Thread Reply:* We only use the outlook mobile client - never used the native client.
Anyone have any luck getting the iOS update with mdm commands to work well? Has anyone heard about any planned improvements? we use AirWatch. They seem to work with major caveats the iOS download command blocks all commands when sent on cellular until the device is connected to Wi-Fi and the install command just prompts for the passcode if you have one.
hey @here I remember I had a Apple KB link which explains the way actually iOS DEP devices backup & restore works and this KB explained why backup a devices as non-supervised overcomes the supervision setting on the device if it’s restored after DEP enrollment (on the same device)
I think this is the one: https://support.apple.com/en-gb/HT202977
*Thread Reply:* I remember I searched for something similar a while ago, but did not find anything in this regards. I am pleased to see such an article existed, and disappointed to see it was already removed before I could use it.
*Thread Reply:* These are not the pages you're looking for.. Move along 🤖
*Thread Reply:* Interesting though because I have similar problems and this would be really great to have.. Will check archive.org
*Thread Reply:* Indeed.. Apple must have a robots.txt blocking them
*Thread Reply:* Apparently the cache worked at some point in the past: https://www.reddit.com/r/ipad/comments/5gogol/restoring_from_an_icloud_backup_to_a_depenrolled/
*Thread Reply:* Also interesting: https://forums.ivanti.com/s/article/Transitioning-devices-into-Apple-DEP
*Thread Reply:* I found this one: https://support.datajar.co.uk/hc/en-us/articles/206944489-Restoring-user-data-after-moving-into-the-Device-Enrollment-Program
*Thread Reply:* I was looking for the same last week. Good to know I’m not crazy. Or I’m not the only crazy.
*Thread Reply:* The Wayback machine comes to the rescue: https://web.archive.org/web/20150214031317/http://support.apple.com/en-us/HT202977
*Thread Reply:* …but I don’t think this is the one you are looking for @NicolasR
*Thread Reply:* It is...!! But was searching in archive.org without success! Thanks man
*Thread Reply:* Perhaps this could be useful too: https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/
*Thread Reply:* @Matthew Shaver FTW
Can I restrict users from changing the APN settings on the device? Restrict Modify cellular plan settings on the device maybe?
*Thread Reply:* That only prevents the user from changing the app settings related to cellular data. APN can't be disabled in any restrictions I'm aware of disabling or restricting editing would be handled at the carrier level
*Thread Reply:* Perhaps if you set an APN via MDM this will prevent the setting from being changed? I don’t know, am just guessing.
*Thread Reply:* Currently we deploy APN via MobileIron Core, but the values still can be modified by the users. We need to switch to Cellular policy anyway because APN will be deprecated by 🍏.. maybe with Cellular policy that works. I just thought that there has been a restriction to prevent modification of mobile data settings.
hello, I read that APNS flow does not support proxy. Can somebody explain me why ? Thanks you.
*Thread Reply:* I've simply known that APNS (as a protocol) just doesn't support the model. Never seen much on why, that would be up to Apple to discern 🤷♂️
*Thread Reply:* At least with WS1, it does support proxy. But the it needs to be a Socks proxy.
*Thread Reply:* https://support.apple.com/en-us/HT203609
*Thread Reply:* ^^Thats the only article I think I’ve ever seen directly from Apple on the subject. We opened a ticket once hoping they would shed more light, but we got a pretty canned “this is expected behavior” response and they closed the ticket
*Thread Reply:* haha, that is expected Apple behavior
*Thread Reply:* From client side: iOS 12 brought support for APNS through Proxy
From server side: APNSv2 protocol might help as it is now HTTPS
*Thread Reply:* Apple is transitioning from ”binary” APNs protocol to APNs2 which is HTTPS based. @NicolasR do you know about documentation/KB article mentioning iOS12 support for APNs over proxy support?
*Thread Reply:* ^^I’d be curious to know about that. I don’t recall seeing anything related to it in the Appleseed notes. I’ll check the iOS 12 Security Reference guide
*Thread Reply:* can’t find the document but it was something Apple announced via email to partners when iOS 12 was out
*Thread Reply:* Whats the use case here? Mobile devices on WiFi and no Data plans where WiFi is via proxy to internet?
*Thread Reply:* @Lukasz Wi-Fi only (and usually single purpose) iPads in highly restricted environments like banks/government. It is also common problem with macOS management. For example iPads used for document signing.
*Thread Reply:* We had a case like this for iPads that were being used as a mainframe interface. The network they were connected to day-to-day didn’t allow any traffic related to APNS. The solution ended up being a dedicated terminal where they could be hardwired to a connection for updates (this worked on 2 levels since the device couldn’t be connected to the external internet and the mainframe at the same time since only physical connections to either were allowed). It’ll be interesting to see if this iOS 12 stuff pans out, I still haven’t found any official documentation on it
@pihlapuro has joined the channel
Anyone know if Apple will support SAML during DEP enrollments someday?
*Thread Reply:* Yes the lack of any kind of "Apple ID Corporate" program is a big pain on this platform IMO. Even though we can cover some aspects of it through DEP (like the Activation lock) it's still quite annoying that users have to create their own account with Apple to download stuff from the app store and we can't manage it (of course VPP is an option but it requires going outside the apple ecosystem with a private store if you want to do it on-demand)
*Thread Reply:* I really hope ABM is a move towards my AD user accounts becoming managed Apple ID's
I'm always working through it and the DEP gets in my way, oh well
:apple_icon: WWDC is the week of June 3, and the Business session is traditionally Thursday morning.
School Manager supports AAD via SAML right? So, maybe someday far far away without committing or suggesting or implying that it would be coming to DEP at some point.
Interesting article. Many (all?) of these parental control apps were using supervision & MDM to manage child devices. Apple seems to be cracking down on this practice now. Of course the app developers are complaining. But I don’t think they should have been using supervision in the first place. Thoughts? https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html
*Thread Reply:* Also relevant: https://www.macrumors.com/2019/04/27/schiller-screen-time-crackdown-mdm/
*Thread Reply:* Benedict Evans had an interesting take, which was essentially that one person’s parental control app is another persons spying on a spouse / ex app https://twitter.com/benedictevans/status/1122305422864474113
*Thread Reply:* I think Phil Schiller has a good point. And I'd rather see them addressing it by blocking these apps than restricting MDM functionality 🙂
*Thread Reply:* I agree @Tycho. This just fuels the privacy fire when it comes to corporate use of MDM though.
To continue the whole MDM and parental control saga, check this out: https://medium.com/@ourpactapp/there-used-to-be-an-app-for-that-41344f61fb6f
*Thread Reply:* This is a statement from one of the vendors who’s app got pulled. One huge problem is that none of the parties involved are making the distinction between supervised and non-supervised use cases; and what happens via MDM and via their agent.
*Thread Reply:* Let’s just hope that Apple has some surprises in store at WWDC for BYOD and parental controls
*Thread Reply:* They also confusingly claim multiple times that Apple invented MDM technology
*Thread Reply:* The comments made through Apple’s media and Phil himself are blatantly not true unless Apple themselves have found a flaw or flaws that open up access to MDM controlled devices to unknown sources. This is going to continue to muddy the waters of MDM and make it more difficult to get the truth out about this protocol and services that depend on it. I’d like to see the security research that Phil references in his comments.
*Thread Reply:* I think Apple was talking about cases where somebody gets social-engineered into installing malicious profiles or enrolling in MDM controlled by a malicious party.
*Thread Reply:* Yes, I’m sure they were. But the broad nature of the statement doesn’t specifically address those “bad actors”. Nonetheless, they should share their security research so that these “good actors” know what to avoid and thus be allowed to maintain their livelihood. This just seems so heavy handed and without warning, that it seems like a security breach announcement would be next.
When I enroll a device in WS1 not all the VPP apps get assigned to the device, some of them give me the error code “12064 the license for the with itunes store-id xyzcs could not be applied”. Anybody knows a fix for this?
*Thread Reply:* So I tried several things, the only thing that actually worked, was logging in with an Apple ID while enrolling the device so I could accept the terms and conditions, which possibly led to the installation of the apps. But that doesn’t make sense, because I’m trying to do VPP because I want people to be able to enroll without Apple ID. I’ll open a ticket with WS1, just to see if they can help with the issue, even though this sounds like an Apple issue.
*Thread Reply:* Make sure you've configured the app with device based VPP, not user based VPP
*Thread Reply:* https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.6/vmware-airwatch-guides-96/GUID-AW96-MD_DvcBsd_Ovrvw.html
@Daniele Crippa has joined the channel
Alright, embarrassing show of hands time, who here has let an APNS cert expire in the last year or so? If you have - did you actually notice any issues (not withstanding the time where no valid cert was present) once a new cert was uploaded? 5 years ago I was haunted by the thought of APNS expiring and an environment being forced to re-enroll every single device. However, I've seen multiple APNS certs expire in the past year with no negative impact to the environment once the new cert is loaded. Can anyone corroborate? Apple has not been super explicit about the behavior of this mechanism and I haven't seen any updates since I really started my MDM ~journey~
*Thread Reply:* In case you've ever had a click-happy admin who decides to get a little crazy before you get into the screen-share... even revoking a production APNS cert, then renewing, will not force a re-enroll of all devices. I called Apple right after I noticed he did this, and eventually a tier 3 engineer called me back and said we were basically screwed and would need to re-enroll 1250 devices. Within 24 hours, the cert would be on the revocation list, and that would be that. We're now in hour 28, and no issues. I feel like the more I learn about this, the less I know. It appears that as long as the cert topic is the same, it really doesn't matter.
apparently "~* *~" causes strikethru. Neato
@Justin Butts APNS expiry does prevent enrollment, but does not unenroll the device if the expiry lapses. Upon expiry lapse, the enrollment and commands sent to enrolled devices will no longer function. Essentially, the device stops listening to you. However, once renewed, the devices do begin to listen and take action again.
@jafullersr That's exactly what I've thought, but since I started, every MDM admin and engineer I talked to would preach how the fallout of an APNS expiration forces an entire re-enroll of your already deployed devices
Yes, with that said, we have had multiple customers with expired APNs certs. Some of them expired more than 30 days, so renewal was not an option. In that case a new cert with new subject was created and the devices had to be re-enrolled.
As mentioned it matters if you can still renew it or not
@Mark Vonk Yep! As long as your within the window to renew, everything is Gucci
I've always been told if it expired it's a re-enrol job, which I thought was insane
Also, you must renew the correct APNS certificate. Oddly enough, you’re able to upload ANY APNS certificate to the EMM and there is no validation that it’s a renewal and doesn’t stop you if it’s not the correct signature.
@Jason Bayton Same! I'm relieved to hear that's only the case when it is too far out to renew
When it expires you still have 30 days to renew When you can’t renew it anymore, you need a new cert and then re-enroll
If you upload the wrong APNS, you may end up in a re-enroll state. Or you work with a DBA to roll back the renewal.
Hi Guys, we have a very interesting issue I would like to share maybe some of you have seen something similar. When launching Internal apps installed on iOS devices from the the Corporate App Store while on Corporate WiFi we receive an error message: "Unable to Verify App - An Internet connection is required to verify trust". For sure this is a WiFi issue with our corporate setup, but I was wondering where I could find a document on Apple side that has this information. This looks similar to the trust of the Enterprise Profile that was documented here: https://support.apple.com/en-us/HT204460
*Thread Reply:* I believe the device needs to be able to reach certificate revocation servers, so iOS can check the validity of the app signing certificate. This needs to be done at first launch, and every few days after. I’m not sure of the address, it could be ocsp.apple.com.
*Thread Reply:* The article you linked to mentions https://ppq.apple.com
*Thread Reply:* Thank you Aaron, yes I see that on the end of it, but I was wondering if there are more details in regards to ports. I know Apple uses 17.0.0.0/8, but other details would be helpful. Maybe this would be a question we would need Apple to answer.
Hi, in the iOS native mailapp, whenever a user starts typing a name of user that is not in his contact-list a Global Address Lookup is performed. However, we see a huge delay in the lookup. From the logging we pulled we see that every character that is being entered takes 1-2 seconds. Therefore whenever a user enters 5 characters is takes 5 to 10 seconds for a result to be displayed. This leads to users complaining the the lookup is not working at all (although it is working, just very slow). Does anyone know of a solution for these delays?
*Thread Reply:* Try this one : SecureContact X Business https://itunes.apple.com/de/app/securecontact-x-business/id1450074955?mt=8
Secure „offline“ Storage for GAL Contacts. For trial Version please Send me a Message
@Sebastian Randig has joined the channel
Can anyone maybe give me a hint, which setting in AirWatch I have to edit in order to disable the proximity sensor for kiosk devices?
Unfortunately the case of the device is interfering with the sensor, therefore the brightness changes, turns darker
*Thread Reply:* Apple has no interface to disable “auto brightness” over the air. So AirWatch and other MDMs can not control this. However the setting is saved with backup and restore. If you restore a backup as part of your provisioning process, you can disable auto brightness, and set brightness to whatever level you want. You can use a tool like Configurator or #groundcontrol for this.
Hi, Has anyone used the Exchange Profile Oauth 2.0 setting in conjunction with Powershell integration such as VMware Powershell Integration or MobileIron Integrated Sentry here, that can give me some input?
*Thread Reply:* Oauth is just authentication, powershell is after the fact to add/remove authorization to sync. So they are independent of each other.
@Willem Verstegen has joined the channel
Has anyone seen their environments have their VPP license revoked following the outage yesterday? We've had several clients now with revoked tokens out of nowhere - Apple made no mention of this in the outage. Anyone else out there experiencing this?
@Juan Olivares Jr. has joined the channel
@here what’s with automated enrollment devices getting into a crash loop at the privacy screen
If rumours are to be believed, then models such as the iPhone 6 Plus will no longer be supported when iOS 13 lands, any truth to this: https://www.macrumors.com/2019/05/10/ios-13-drops-iphone-6-iphone-5s-iphone-se-rumor/amp/
In my opinion, it’s pointless to worry about rumors now. You will know for certain in a few more days.
Agreed and this isn't anything new is it. Apple always deprecates support for older devices and an iPhone 6 is from 2014!
I think that these kinds of deprecation will slow down as the appearance of innovation wears out and phones all reach general parity
I've always generally assumed Apple will only support devices for 4-5 years post initial launch. There's a lot hardware change that happens in those years.
Only support them 4-5 years? Android has been a struggle to get more than two. 4-5 is amazing!
Agree. Complaints on a 4-5 year lifecycle with mobility is kinda funny when most IT departments are on a 3 year lifecycle with laptops.
About the rumour: I am not sure. The 6S and SE have 2Gb of memory, the older ones only 1 Gb. I would not be surprised if the 6S and SE would still get iOS 13. Many customers of mine still have a lot of SE devices in use, because of the form factor and pricing (it was pretty cheap back then). So if true, the more security conscious will have to upgrade (part of) their fleet. Even still and indeed, the 4-5y lifecycle is pretty good. Most customer financially deprecate hardware in 2 years, so it’s time to upgrade anyway 🙂
And, to be honest, Apple hasn't dropped a handset from new OS support in a couple of releases. They're overdue. Not to mention, iphone sales are slipping and this may halpe move the needle.
Apple was selling se's on their site (the clearance side) a few months ago so I do not find it likely they will drop support this time
That's a shame but my iPhone 6 was getting too slow anyway (it's only a dualcore).. I moved to a Samsung S8 instead as I could no longer afford Apple's premium
has anyone @here been able to download a beta profile? All i see is xcode
Hmm yesterday right after the keynote I just found a recovery image
You'll have to find the ipsw if you don't have a developer account.
I can’t see the iOS 13 restore images either. They haven’t made them available to Enterprise Developer accounts for some reason 🤔
Weird, I can see them and I have an enterprise developer account also.
It's a bit strange, there's no OTA profile for iPhone yet. IPSW's are not available for everyone either. I downloaded the IPSW files from a Google Drive (not official way i know).
Did the agent sign in and agree to the updated terms? Just curious sometimes that’s an issue.
Here also not visible until about an hour ago, check again! 🙂
Stupid question but do you still need a paid developer account to get the betas?
Yeah. Then you need a developer account in the meantime
Probably rolling out slow as to not kill apple servers
our agent just signed today but for me as an admin the download was visible
@Timothy D has joined the channel
hi all. Q for you. Anyone found a way to enable containerised email clients like EMail+ to be able to display personal (iCloud, GMail) calendars alongside work calendar? full data not really required here, just free/busy would do. I'm thinking something similar to the custom config to allow contacts to be visible. thanks in advance
Has anyone used single-app mode together with Per App VPN? Seems to be an issue with apps that need to be tunneled with help of the the Per App VPN-app (such as VMware Tunnel) since iOS is only allowing the kiosk-application to run.
https://developer.apple.com/videos/play/wwdc2019/303/ FRIDAY 12pm MST - Apple MDM Webinar - hopefully they'll dig deep into what exactly everything we saw earlier will look like
*Thread Reply:* To be clear, this session is coming on Friday. They will have a lot to cover in one hour. Not sure how that will work.
*Thread Reply:* Yeah I was just going to say, this is on Friday. They'll probably post the video only after (not livestreamed). It is a lot of course but I think they'll just give an overview and give links to the actual docs where we can deep dive.
*Thread Reply:* * user-enrolled MDM (the new BYOD) * data separation * managed Apple IDs * “modern authentication” for DEP enrollment (and elsewhere?) * SSO Extension (?) * New rules regarding MDM use by third parties * iPadOS (of course that’s aimed at businesses) * activation lock for Mac ** iCloud for Enterprise
*Thread Reply:* Thank you guys! Forgot to mention the actual date -_-
*Thread Reply:* No guarantees when it will be actually ready to use either, based on past experiences
*Thread Reply:* Here are the sessions I’m looking forward to: • https://developer.apple.com/videos/play/wwdc2019/303/ • https://developer.apple.com/videos/play/wwdc2019/304/ • https://developer.apple.com/videos/play/wwdc2019/504/
*Thread Reply:* Nice!! I didn't realise FIDO2 was coming
*Thread Reply:* Livestream just ended, was pretty cool.
Following up the discussion on the beta, now I can have access to the IPSW for the beta
*Thread Reply:* I've access now as well
@Adam Stephenson has joined the channel
@Anthony Ridley has joined the channel
I am going to do a Google search on this to track down some more "official" statements to present to a customer, but I was asked in a meeting yesterday if I could give some details on why it's a bad idea to let users jailbreak their devices. Of course, I have right off the top of my head about 50 reasons (lol) but I do need to back up these ideas with further details.
*Thread Reply:* I cannot believe that would actually be brought up, maybe the fact they can copy all the data on the device as can anyone taking advantage of the security hole that a jailbreak is. Basically assume anything safe to have on a jailbroken device can be posted on the internet including live microphone camera and location feeds. If they are okay with that then it may be acceptable. If you want official statements I would check the IOS security guide from Apple
*Thread Reply:* With mobile operating systems, much of the security is based on the operating system controls. It keeps the credentials for authentication, wifi login information, passwords, etc. If the device gets jailbroken, it's light years easier to get access to that.
additionally, these devices have lots of sensors and go with us everywhere. If your CEO is driving to the HQ of a competitor planning a buyout, that may be information that could come under the jurisdiction of the SEC.
*Thread Reply:* There is also no guarantee that any MDM controls you apply would be enforced.
*Thread Reply:* The jailbreak may expose the encryption key in plain text as well.
*Thread Reply:* I agree with @DirkC on these points, I would also asked what their posture is for iOS updates as a whole. I have found the jailbreaks are becoming harder and harder with newer releases of iOS. I find most organizations require or at least recommend users be on a certain iOS update to ensure patches to vulnerabilities and bugs. Most jailbreaks are a few versions behind that which means they are already exposing themselves to security vulnerabilities. Just my two cents 🙂
*Thread Reply:* It is so sad you even have to do this. Device is compromised end of story.
*Thread Reply:* if something like KeyRaider exist today that’s the only argument you need to have in your arsenal
Any input appreciated to help me narrow down the focus of this search.
Anyone have issues with Apple Watches not showing managed profile contact names, just numbers when iOS restrictions are in place?
*Thread Reply:* If the Watch is not managed it shouldn’t show the contact names, AFAIK. If you want that to show, you could try to enable “Allow managed apps to write contacts to unmanaged contacts accounts”. Even though I wouldn’t, if the Watch is not under management.
*Thread Reply:* @Julio good suggestion. However, watches can’t me Managed (or unmanaged) because Apple hasn’t provided that framework
*Thread Reply:* What’s odd here is that it usually works but randomly will stop working
Hi.. Is there a way to view encrypted mails in ios devices?
*Thread Reply:* Depends on what you are looking to do. iOS does support SMIME https://support.apple.com/en-in/HT202345
*Thread Reply:* Thats useful. Thank you Jay.
I swear I could take a backup with configurator of an unsupervised device, reset it and then restore the backup and enroll so it was supervised. Now I can't seem to anymore. We use WS1 and Business Manager DEP A. If I do the restore before enrollment, it simply goes full consumer and skips enrollment entirely B. If I try restoring after enrollment, configurator complains the device is already prepared.
Am I missing something here or has something changed recently?
EDIT: OK. this occurs only if you keep the same device. If you change the device it will complete enrollment with the restored data (method A)
Is there anyway to accomplish this on a single device?
EDIT: Found a way. Restore to a second device, change the name in configurator and then backup and restore back to the original device. Hooray!
*Thread Reply:* I created this iOS backup/restore guide based on iOS 12 (I'll update it if anything changes with 13): https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/
@Margaret Radford has joined the channel
@Marvin Martin has joined the channel
When I set the 90 days delay for iOS updates in a Workspace One profile, can I still force the device to do the update before at some point or do I have to wait until they’re over?
remove the profile and the delay goes away
*Thread Reply:* The use case I have is, it’s a bunch of kiosk devices and I want to update them building by building, so I was thinking of applying it to all and then start with a small group of devices, by just triggering the update anyway. Which would keep the rest that was not triggered in the delayed mode. Probably it might make sense to create a profile just for that purpose and excluding the ones I want to update on the planned day right?
*Thread Reply:* You cannot update by profile you can by compliance policy be sure to pull the devices out of single app mode before sending the update if you were doing that, excluding the ones you want to update should work, I have never tried to push an update through a block so you may test if you need to it would probably be wise to remove the block regardless
Yes, you can push the iOS update even if the 90-day delay is still in effect. The delay affects only user-initiated updates.
*Thread Reply:* Thanks for the feedback. Have you tested that scenario already?
*Thread Reply:* Also only applies to OTA updates, so iTunes or Configurator installed updates should circumvent
@Timothy Byler has joined the channel
@Zachary Shanholtz has joined the channel
@Daniil Michine has joined the channel
@Jean-Charles Godard has joined the channel
*Thread Reply:* @Andrew Montague Check you Single Sign-On profile that it contains bunde ids of Google apps.
Interesting: https://www.macrumors.com/2019/07/23/iphone-to-iphone-data-migration/
At least I don't have to smash the devices together to get NFC or something going
@Anthony Tedesco has joined the channel
I'm working on a Clinical Communications RFP for a "Voice, Text, Alarm" App deployed to iPhone 8 in a Cisco Wi-Fi environment. One of the vendors made a recommendation I've not considered on modern iOS hardware. They suggest always purchasing the GSM variant of an iPhone over the CDMA. I assume this is legacy advice based on buy-back residuals in the iPhone 5 era, but it made me consider if the radio chipset and device baseband programming could be better aligned for a Wi-Fi VoiP deployment with GSM hardware vs CDMA in a no-SIM deployment. That shouldn't make any difference, right?
*Thread Reply:* I don't see how cellular radios would impact a WiFi only deployment.
*Thread Reply:* We do a LOT of work with clinical communications iPhones, and I’ve never heard about this one. With no SIMs, the cellular portion is irrelevant. So I agree with your skepticism.
Anyone out there managing Dual Sim iPhones yet where one line is corporate and one is personal? How do you treat that device from a management point of view? If the hardware and corporate plan are provided, and a user adds their personal plan, I would assume it's still treated as a corporate controlled device, albeit one you can make personal calls from. Any thoughts around this?
*Thread Reply:* Dual SIM is interesting for having multiple phone numbers, but it doesn't really have anything to do with managing the device. There's still only one operating system, and any personal vs. corporate apps are still managed by the MDM configuration on the device.
*Thread Reply:* kind of. if it's a corporate device and users are allowed to add their personal phone numbers, it's essentially a COPE device, which absolutely impacts the management, depending on how you interpret this.
*Thread Reply:* COPE devices, per NIST guidelines, should be treated as a fully fledged personal device in regards to app management. That means no blacklisting.
*Thread Reply:* There's also issues with cross pollination of contacts, right?
*Thread Reply:* There's always issue with cross pollination of contact if you allow personal apps and contacts, but that's mostly a question of how you handle the device. For most companies, whether personal or corporate owned, the user is allowed to install whatever applications they want, so the added SIM doesn't alter much. You have to figure out your containerization plan and what your requirements are for locking down the device.
*Thread Reply:* virtually every one of my clients for the past 5 years has blacklisted some kind of app or another
*Thread Reply:* From my POV, I don't care if a user adds their personal phone to a corporate device, they're still not going to get to download Netflix, dating apps, etc.
*Thread Reply:* Hi Justin, that sounds like an interesting case, but I totally agree with your last point. The fact that they add a personal SIM to a corporate device does not make it a personal phone. They can use SMS, and phone calls from their personal SIM, but app blacklist and policies should remain as per a corporate device.
*Thread Reply:* That‘s the way we implemented it in our company. But to be honest: our blacklist is short (Outlook mobile & Whatsapp)
Can anyone share the Apple Bundle Identifier for iOS 13's "Find My" app? I need it to update some whitelist/blacklist settings on managed devices.
https://www.reddit.com/r/iOSthemes/comments/2n8bj5/list_for_a_bunch_of_bundle_ids_i_found/cmbdgyg/
@Ryan Kane in iOS 13 the app ID is com.apple.findmy. I checked my iPhone console logs for this. It’s a new ID for iOS 13.
@aaron are you aware of any other app IDs changing?
I wasn’t aware of this one changing either, until I checked. I’ll do a full comparison now. Ugh.
I think I have a device enrolled in it so I’ll check as well. Now I have to look at not just 13 but iOS vs. iPad OS. We can coordinate as this may make a good blog topic if there is a bunch of differences
@Markus Speicher has joined the channel
Does anyone of you have knowledge if you need a special Blackberry Dynamics SDK for the upcoming iPadOS (Fork of ios) that comes this Fall?
*Thread Reply:* your best bet is to read the below support article. I've been told this includes iPadOS also.
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000057712
*Thread Reply:* Nice Thanks. BB will not develop an own ipados Version for the BD SDK for now it seemed. lets see.
Hi, I just found this great article and thought to share with you all: https://support.apple.com/en-us/HT210346. It is strongly encouraged to update all the iOS devices to this latest 12.4 version available.
@Sunith Mandalia has joined the channel
@Torben Volkmann has joined the channel
Has anybody seen any jailbroken iOS 12.4 devices pop up in their environment? With all the news out there, I figure more people might be trying it than in the last few years.
*Thread Reply:* I've been keeping an eye out on the numbers since the exploit is back in the wild but we really don't see any except for a few folks that do it on purpose to make homebrew apps work.
*Thread Reply:* Basic hardening should prevent jailbreaks, e.g. block users from installing enterprise apps, block users from installing config profiles….
*Thread Reply:* Possibly block USB-host connections for extra hurdle
*Thread Reply:* We block them immediately if they try... Agree with @Thomas B. but of course with BYOD there's limited option to do this.
*Thread Reply:* @Tycho what are you relying on it to detect the jailbreak?
*Thread Reply:* WS1 built in detection. Not sure how good it is though
@Christoffer ST has joined the channel
@Mr.Anderson has joined the channel
@Daniel Vodrážka has joined the channel
Has anyone further information about the container feature in iOS 13? Is this already in the beta? Have not read anything further about that. As far as I understood this separation can be achieved with the new user enrollment, right?
*Thread Reply:* user enrollment is already here but requires EMM to enable it
*Thread Reply:* Gotcha. thanks @NicolasR - have you tried it?
When will MI Core target these new features? If this container feature is only relevant for user enrollment, I am asking myself if we want to enroll our company owned devices with user enrollment only because of that feature. Wipe devices is history then as far as I know.
*Thread Reply:* MobileIron do not support it yet. Not sure about workspace one?
*Thread Reply:* MobileIron is working on it and large customers already asked this for support in CORE/CLOUD. I guess it will come around CORE 10.5 or 10.6 (Q3/Q4 2019) *put the appropriate disclaimer here* 😉
*Thread Reply:* I read somewhere Intune was going to have support very soon. Anyone know if it’s out?
*Thread Reply:* SOTI’s mobicontrol will have support for user enrollment in the next release.
*Thread Reply:* Workspace ONE Getting Ready for Apple Fall 2019 Releases
https://support.workspaceone.com/articles/360024561354
There's a nice little section in here on what can and can't be done with User Enrollment and a video showing the enrollment process.
*Thread Reply:* Very useful link - I wish MobileIron would have similar content with these kind of info and videos!
If I include a "Payload Certificate" (user certificate) in an iOS Exchange profile with Oauth enabled, what will happen then? The customer uses ADFS with certificate authentication enabled. Will this remove the need to choose certificate etc?
*Thread Reply:* Tested. "Will this remove the need to choose certificate etc?" = NO 🙂
*Thread Reply:* You have to chose the cert in the exchange profile as well
*Thread Reply:* Also are you using a system that needs both a cert and Oauth since if you are doing cert based you do not use Oauth
*Thread Reply:* No as Modern authentication is handled in Safari. It will work automatically only with CBA against Azure AD.
Has anyone had any experience in setting up company wide shortcuts for people to be able to leverage? What I’d like to do is have a catalogue of validated Apple shortcuts (Workflow as was) that people can add to their devices that we’ve created centrally (and therefore tested etc) Whilst I know I could share individually, concept of the catalogue would enable me to (hopefully) keep these updated as and when needed. Know iOS 12/13 introduced concept of untrusted shortcuts, also hoping that it’s possible to force the trust of these if deployed via EMM? Appreciate any thoughts if even possible??
*Thread Reply:* 👍 Just need to work out if possible 😁, research time....
*Thread Reply:* Which EMM? If you are using Workspace ONE Access then shortcuts can be configured in the catalog.
*Thread Reply:* Hi @Andrew Montague Interesting. This looks like more of a webclip sort of approach though, so wouldn’t necessarily be a catalogue of shortcuts (workflows)? Not sure it would also get through versioning limitations as well so if e.g I changed a workflow to include another variable (as an example) user would still have their existing configured workflow in the app. We are also WSO customers though so if I’m missing something here this would be good
@Ondrej Zerzanek has joined the channel
is there another way to see iOS changes specific to MDM? I've been following the developer.apple.com posts but its beyond what we need.
*Thread Reply:* Apple has a program called AppleSeed for IT which provides enterprise related features, beta profiles for download and also includes test plans that can be used to verify new features
*Thread Reply:* https://appleseed.apple.com/sp/welcome
*Thread Reply:* We have been using AppleSeed since it got added to ABM
*Thread Reply:* I was looking more for callouts to new MDM functionality
*Thread Reply:* VMWare has basically told us that we have to export our device profiles before and after they seed new models and figure it out on our own what's changed
*Thread Reply:* Well… https://mobilepros.org/2019/06/wwdc19-enterprise-a-palooza/
*Thread Reply:* right, I saw this a while back, fantastic resource by the way
*Thread Reply:* like, I think I care share this here, the Today View kind of caught us off guard. The PI exposure initially was a bit scary and it was not immediately discernible how we could control it.
*Thread Reply:* The Today View can be disabled on the lock screen. That’s been available in MDM for a few years.
*Thread Reply:* no I know, we were hoping for some granular redaction and ultimately never found it
*Thread Reply:* In Canada, touching a cellphone in car is an immediate ticket, so we haev to balance the PI exposure and usability
*Thread Reply:* @aaron Do you know if it will be possible to use the managed AppleID in combination with Automated Device Enrollment?
*Thread Reply:* So you mean enroll as AD user but use managed Apple ID for iCloud, etc? I am not sure. It isn’t obvious that anything other than “user enrollments” devices allow two Apple IDs. No partition, so no data separation.
*Thread Reply:* The more I think about it, the more I think only UE devices will allow 2 Apple IDs. I can’t see Apple adding a user interface for a “company Apple ID” within the OS.
Now if you want to use a managed Apple ID as the one and only Apple ID on a DEP device, that’s probably fine.
User Enrollment isn’t coming until Sept 30 BTW. And it will need to be supported by MDM.
How do you know that, it was not mentioned at the keynote, was it?
Anyone recall how early they typically drop the GM seed?
Looks like iOS 12 GM seed was 5 days before, so we have a few days I guess
“iOS 13 will be available on September 19 as a free software update for iPhone 6s and later. Additional software features will be available on September 30 with iOS 13.1.”
Are they software features or Security features though 🤣
Sept. 30 is when the new iPad comes out. Wondering if the split into iPad OS is going to happen with 13.1...
https://www.apple.com/ios/ios-13/features/ has user enrollment with a ** which notates Sept 30th
My guess is that 13.1 also releases that day
Summing up the #AppleEvent
Same Apple watch but display is always on
Same iPad with chipset 3 generations old
Same iPhones as last year but camera is slightly better.
Small content lacking services starting at $4,99/month.
*Thread Reply:* No Jony Ive lulling us gently to sleep
*Thread Reply:* This sums up every Apple event basically 😉
*Thread Reply:* I was expecting a tracker too
*Thread Reply:* I'm disappointed that Apple Arcade isn't an actual arcade machine
*Thread Reply:* But it is still good for mobile gamers
*Thread Reply:* ya, I wasn't looking for more reasons for my family to stare at their screens, thanks Apple 👍
*Thread Reply:* Frogger was the headliner game.....sad business
Did anyone install iOS 13.1 Beta on an iPad? Does it already identify as iPad OS?
*Thread Reply:* It does. Running 13.1 on my iPad Pro
Is anyone aware, that the golden master of iOS13.0 still has the Bugs with managed open in and the native mail client? Are you guys defering the updates 14 days (19.9 till 30.9) or whats your strategy?
*Thread Reply:* Interesting. First time I hear of it! Might you have access to the document that list this known issue?
*Thread Reply:* @Wolfgang Bauer yes, we recommend to our customers to wait for 13.1
*Thread Reply:* There is no document for it. You need to test it for yourself to verify.
*Thread Reply:* My mail client with exchange server is completely broken. I’m not getting any emails and the app is completely empty apart from the folder list.
*Thread Reply:* What certs are you running on your Exchange servers? Are they compliant with Apple’s requirements? See: https://support.apple.com/en-us/HT210176
*Thread Reply:* Yes it’s compatible. Was working during all the betas and working with iOS 13.1 betas. Seems to only be broken in the GM
*Thread Reply:* Yeah… 13.1 beta 3 is pretty solid. 13 GM is still a mess. Avoid it if possible and wait till 30.9. for 13.1
*Thread Reply:* According to some forums, I’m not the only one to have issue with exchange on 13 GM. Wonder if they’ll end up releasing it with broken exchange
*Thread Reply:* upgraded the same device to 13.1 Beta 3 and Exchange is now working
*Thread Reply:* anyone using a defer update policy for this? What do you guys do at release of 13.1? Push the iOS Version manually to the devices?
*Thread Reply:* interesting the release notes stated that it was fixed in Beta 6
*Thread Reply:* (iOS 13 Beta 6) The allowOpenFromManagedToUnmanaged restriction prevents saving files from managed apps to the local Downloads folder, which is unmanaged.
*Thread Reply:* Interesting. I am not able to test it now (all my test devices running 13.1 betas). Is someone else able to test and confirm?
New video! https://developer.apple.com/videos/play/tech-talks/301/
hello guys @here, any idea on how to push a Gmail app with a pre-set account on iOS with EMM (MobileIron) ?
*Thread Reply:* You can push native account, but Google apps don’t support app config
*Thread Reply:* Google apps can use this native account after if i’m not wrong
*Thread Reply:* Unfortunately I don't know MobileIron but I do know that in Workspace ONE if the device is enrolled using AfW GMail is considered the 'native' mail client and can be configured by a native mail profile.
*Thread Reply:* Jean-marc is talking about iOS. No way to configure Gmail app this way on iOS.
Anyone else have a real hard time getting into the Enterprise Developer program with Apple? They've been dragging me out for almost 6 months with no explanations on the delays.
*Thread Reply:* We were told by Apple that they will try to get as many companies as possible OUT of the Enterprise Developer program. They encourage everyone to start using Custom Apps in Apple Business Manager.
No has never been an issue. As long as the contact info you give is correct and you answer the calls from Apple, it all works fine
*Thread Reply:* Been slow with no explanations. Even did a few screening calls.
@here Apple has updated their terms of service for Apple Business Manager and Device Enrollment Portal. Have your admins login and accept the updated terms of service so that your devices continue to be assigned properly.
Also, Apple has MOVED UP the iPadOS and iOS 13.1 release dates: they will now be released Tuesday September 24.
I have my personal account configured as ‘default account’ and i have received sharepoint approval workflow email with body contains approve and reject options.Starting with iOS 13 devices,When i click’Approve’, email confirmation is sent using my personal account.Is there a way to alter this behavior without changing the default account to my work email?
Random question (feel free to shame me) when we started deploying VPP apps ABM was not a thing so we used what they now called the legacy portal. I know you can get the apps right in ABM so my question to all of you is if I switch to that rather than the legacy portal will that cause any issues for my existing VPP apps? Thanks in advance
*Thread Reply:* @Boe No shaming. It won't cause any issues. We made the switch too and all of our apps populated in the new ABM portal.
*Thread Reply:* Thanks @Ray Domingue I appreciate the quick response. Also the shamming was meant to be in good fun after all giving someone a hard time hear and their builds character 😄 or so they say
*Thread Reply:* @Ray Domingue did it take a little while for all your apps to populate? I just took the plunge and turned it on and I'm not seeing any of my old apps yet
*Thread Reply:* its just classed as a "migration" so it should retain all existing apps just in the new portal. One thing to make sure is the locations setup in ABM and also if you use VPP Purchasing agents. good article is https://support.apple.com/en-gb/HT208817
*Thread Reply:* Thanks everybody iOS is by far our biggest use case so wanted to make sure before taking the plunge. I love how fast everyone response in here far more efficient then reaching out to support 😄
*Thread Reply:* "I love how fast everyone response in here far more efficient then reaching out to support" Wait ... Apple offers support? 🤣
Apple is currently signing iOS 12.4.1, 12.4.2, 13.0, 13.1 and 13.1.1.
https://twitter.com/axi0mx/status/1177542201670168576?s=21
Non techie version:
Any iPhone 8/X or earlier can now be:
booted to any iOS version, past/present/future, with no SHSH/APTickets
booted to any OS (e.g. Android)
compromised by attacker w/physical access, but still requires password (or brute force)for private data
*Thread Reply:* Source: https://twitter.com/morpheus______/status/1177574298791370752?s=21
}
62657156686f6a75636a4d21506a736699a0f1548b
(https://twitter.com/Morpheus______/status/1177574298791370752)
*Thread Reply:* I bet Android would run lovely on their hardware.
*Thread Reply:* It is bad but maybe not that bad how it looked at the beginning - see comment #168 - https://forums.macrumors.com/threads/checkm8-exploit-opens-door-to-unpatchable-jailbreak-on-iphone-4s-through-iphone-x.2202080/page-7#post-27815808
*Thread Reply:* Some things you mention are only possible once they're actually developed though (e.g. an Android build that can run on such hardware). iOS versions should indeed work.
Also be aware that if you turn it off you have to DFU it to boot again, since the boot rom can't be modified. This exploit is not persistent so it has to be applied on every boot.
By the way as I understand it brute forcing the password/PIN is not possible because the secure element will enforce a number of attempts (10 AFAIK).
*Thread Reply:* secure enclave is not compromised AFAIK so data will still be encrypted and brute force of creds not possible. Any jailbreak should still be detected by MDM or MTD in theory so from a corporate data point of view this should not be a high risk item. Obviously monitor closely though as its still very new and be very wary letting your device out of your sight or plugging it into an unknown lightning cable!
*Thread Reply:* This is what I understood as well
does anyone know of a possible solution to get a whole load of iPads up to date to the latest OS without enrolling them. These are brand new devices still in the box but been sitting in a warehouse for a few months so likely to be running an early version of 12. Obviously we can sit there and put them into DFU and update 1 by 1 using iTunes, but would be great if someone knew a quicker more efficient way?
*Thread Reply:* If you dont have them enrolled my guess is that you need to do them by hand. Quickest would be to have an USB-hub and connect the devices to Apple Configurator and do a few at a time.
*Thread Reply:* yeah thought this might be the only way, was hoping someone had a miracle solution as there is about 800 iPads that need updating
*Thread Reply:* ^^yes this! I'm not sure you have any other option really
*Thread Reply:* Oh, and set up an Apple Caching server as that will speed up the process a LOT!
*Thread Reply:* GroundControl can do it, if you are willing to do a paid option. Want to reach out?
*Thread Reply:* The customer was about to pay for some temps to come in and do this so paid for option is definitely something they will consider.
*Thread Reply:* If you have a Mac, you can install Configurator for free from the store and then hook up as many devices as there are USB ports available and select all - update
Is there another way to force native iOS email to default to HTML? Apart from forcing a signature across all devices that includes a HTML component. WS1
I've found that iOS devices tend to default to plain text emails despite our server side signature being enforced and so the signature is ruined (it requires html to display properly).
I posted this in #apple but thought I'd share it here. iOS 13.0 was released on September 19, 2019. iOS 13.1 was released on September 24, 2019 iOS 13.1.1 was released on September 27, 2019. iOS 13.1.2 was released on September 30, 2019.
@Gregory LACASSIN has joined the channel
Hi Folks, can someone recommend a good Endpoint Protection software that integrates with Intune Mobile Threat Defense connector?
I have been asked to architect a mobile standard as a laptop alternative. Some of the designs are easy (iPad Pro, WS1, WS1 Content, Citrix receiver). We are years away from deciding on Office 365. Were I’m struggling is productivity apps, what to choose and how to design.
Any thought are welcomed
*Thread Reply:* Does anyone here use Apple’s iWork apps in their org? If not, what is the most effective way you’ve seen iPad be a useful productivity tool in your office?
*Thread Reply:* Office is a very narrow subset of where mobile devices can be used. There are some great examples on apple.com/business/ from companies across health, industry, transport and construction where iPad is used way beyond the traditional ‘office’ use-cases.
*Thread Reply:* https://www.ben-evans.com/benedictevans/2019/9/27/new-productivity
*Thread Reply:* i have done work like this for clients. my approach is to do a user persona modelling discovery first i.e. workshops, interviews, surveys with end users to find out what their current workflow looks like and where they think it could be improved. usually end up with 6-8 personas and then i analyse these for opportunities for mobile tooling. typically field workers and data consumers/presenters (think sales reps for example) are good candidates for using tablets and mobile apps. if you have a good BA or BA skills it helps 🙂
@MarkD Maybe involve users from a number of key groups to hear their input…
Anyone experiencing issues upgrading their iPad to the latest release? I keep getting « Resume download » after a while...I’ve reset network settings, set to airplane mode/reboot/uncheck airplane mode, removed beta profile etc. There are a few articles out there but maybe there is a huge queue requesting the latest iPadOS? 🤔
iOS 13.0 was released on September 19, 2019. iOS 13.1 was released on September 24, 2019 iOS 13.1.1 was released on September 27, 2019. iOS 13.1.2 was released on September 30, 2019. iOS 13.2 beta was released on October 2nd, 2019 😱🤯 seriously Apple...
Following this rhythm, we will reach iOS 13.9 on June 2019 😛
*Thread Reply:* have you invented a time machine? 😉
*Thread Reply:* Maybe there will be some sort of Moore’s law for iOS updates now? The number of iOS updates will double every year/quarter?
*Thread Reply:* ...while the battery life is reduced by 2 every month? 😆
@Kevin Migliaccio has joined the channel
Has anyone heard something about when federated authentication will be available for managed Apple IDs in Apple Business Manager? As far as I can tell this is still only available for Apple School Manager. Without this iOS User Enrollment won't be a lot of fun 🙂
*Thread Reply:* Could not find anything either. Whois is up for creating accounts the manual way ?
*Thread Reply:* I'm also eagerly waiting and kind of dreading the moment.. see someone requested staff to be using Apple ID registered with their corporate email - I'll have a lot to explain about conflicts and why they should start changing their existing IDs
*Thread Reply:* Yes we are going to have the exact same issue! It would be nice if Apple could provide a list of users that are using their corporate address currently!
*Thread Reply:* There's also the open question on what happens if users have existing "personal" AppleID's with a corporate email address
*Thread Reply:* For Apple School Manager, which already has federation, the docs state: Note that standard Apple IDs cannot be converted to Managed Apple IDs.
Assuming that ABM will work similar to ASM, this could lead to some serious headache.
Maybe you need to create managed IDs like <a href="mailto:john.doe.appleid@company.com">john.doe.appleid@company.com</a> to prevent collisions. But that's just guessing 🙂
*Thread Reply:* So bring me up to speed - the use of managed Apple IDs created with the ABM is only relevant for User Enrollment?
*Thread Reply:* @Damian, ASM shows you the conflicts when federation is configured. https://support.apple.com/en-gb/guide/apple-school-manager/apde685676ac/1/web/1 @Tobias, I believe ABM will work like ASM with regards to federation, which means users will get notifications to change the email address used as personal Apple ID (work email address in our case) to something else, or Apple will automatically rename it in 60 days. https://support.apple.com/en-gb/guide/apple-school-manager/apd3bfda7748/1/web/1
*Thread Reply:* @MichaelM21 Currently managed Apple IDs in ABM are only used for assigning administrative roles inside of ABM itself. As soon as User Enrollment becomes available, managed Apple IDs will be used for that mode.
So User Enrollment Devices with VPP - not device based, correct?
*Thread Reply:* Sure it can be device-based VPP if you like. Or user-based. Your choice.
*Thread Reply:* with the new user enrollment?
*Thread Reply:* I believe so. Why not? Just because there is a Managed Apple ID shouldn’t force you to use user-based app assignment. Device-based offers several advantages.
*Thread Reply:* I know, just currently messing around with WS1 and I agree with you on it should but apparently it doesn't 100% want to do stuff - currently assumg it is WS1 as I can see the App then automaticly gets the user assignment though device based is activate it just wont push
*Thread Reply:* so it is potentially that or the used vpp token must match the MAIDs location within ABM - documentation, at the least the one I can find, is pretty slim
*Thread Reply:* I admit I haven’t tested. But if MAIDs did require user-based app assignment, that would cause problems when trying to use the same app for, say, shared devices with no Apple ID.
*Thread Reply:* User Enrollment does not work with device based vpp. only user licensing.
Anyone know what software iMore use for their guides? They got really nice magnifying effect.
Apple's Preview app does this
And you get a circle that's resizable which will magnify everything inside:
@Brian Irish has joined the channel
*Thread Reply:* you can block it via package name. Some MDM can also remove it via a setting
*Thread Reply:* Thanks Marc,any idea how to remove this via Mobileiron MDM.The issue i am facing is when a user receives an digitally protected attachment via native mail,upon tapping download,it becomes blank.Hence i am trying to fix this by disabling the automatic opening in the native browser.
@John Zmyslowski has joined the channel
Does anyone have the bundle ID for “Find My” handy?
*Thread Reply:* Thanks. Don’t know why my search didn’t return that. Searching “Find My” is just a PITA
*Thread Reply:* https://github.com/joeblau/apple-bundle-identifiers
has anyone ever implemented SSO extension iOS 13 with existings IDP?
New iOS version, again... https://www.macrumors.com/2019/10/15/ios-13-1-3-released/
iOS/Workspace One MDM Question: Has anyone else seen it where the Hub app displays a white screen with a "skip" button at the bottom that does nothing? It doesnt appear affect the functionality of the device or email but it still causes calls to our HelpDesk.
Is anyone using Provisional DEP via Apple Configurator 2? I’m wondering how that goes on a somewhat larger scale; meaning many countries. @Almar Diehl maybe have a talk soon?
*Thread Reply:* Hi Duncan, let’s plan a call.
*Thread Reply:* Hoi Duncan! Nice to see you here also! It’s no problem to connect from multiple locations with Apple Configurator. I advice to use multiple accounts for that for monitoring and 2FA. But yes, it’s a lot of work.
It’s a lot of work for each device, and I do not know of a way to automate provisional DEP. On the other hand, once devices have been added to DEP, they behave just like regular DEP devices.
Has anyone here figured out if there is a custom profile to manage iPadOS 13's new option for Safari to make it load desktop versions of a web site by default? Settings > Safari > Request Desktop Website > All Websites (Enabled)
I would like to publish a profile that would disable this setting.
*Thread Reply:* Nothing in the configuration payload documentation that suggests it is possible, so I do not think so.
*Thread Reply:* Yeah, I can’t find anything either. But I was hoping for some unpublished XML
*Thread Reply:* iPads aren’t desktops. The UserAgent is updated as macOS when this is enabled.
*Thread Reply:* Plus the only option is “All Websites”. Can’t I at least reference which ones I want in “Desktop Mode”? This isn’t Microsoft Edge.
*Thread Reply:* Thinking I might try a URLScheme to launch the Settings app to that area and work with folks to toggle it off. 🤷♂️
*Thread Reply:* Safari ⇾ Request Desktop Website: prefs:root=SAFARI&path=Request%20Desktop%20Website
@Nico Hermeling has joined the channel
does anyone know if its possible to blacklist certain app categories instead of manually defining a long list of blacklisted apps. The customer currently uses VPP with no public app store, but they are getting fed up with the amount of requests they get from users to publish certain apps and thought of the possiblity of opening up the app store to the user but blacklisting certain categories (i.e. gambling, adult etc)
*Thread Reply:* I thought there used to be the ability to push a restriction based on app rating, but that may be deprecated.
*Thread Reply:* You could put something like Wandera on there and use it's categorisation capabilities. They could download a gambling app but not use it or access it via a browser
*Thread Reply:* not the best UX but would achieve your goal i think
Has something changed in the iOS mail app? getting reports the draft folder is not syncing but I don't think it ever did?
*Thread Reply:* Draft sync was added by MS in ActiveSync 16 (Exchange 2016) and enabled for iOS with 10 - https://support.apple.com/en-us/HT202803, So, if you've been running 2016, you should have had it for a few years now.
*Thread Reply:* If you are still on Exchange 2013, there is an additional issue with drafts disappearing from the drafts folder in 13.x, which is fixed with 13.2.
Hello @here, any idea on how to delete VPP licences on certains apps ? Not deleting all licences but just reducing the volume ? (We have 50000 licences for 10 terminals... it take more than 5 minute to sync licences now )
*Thread Reply:* @JmB I created another location in ABM and allocated liceneses to that new location. i.e. your 50k you could split it up to 25k to your location and the other 25k to another location you set in ABM. That way in your MDM/UEM you'll see 25k allocated while the other 25k are "hidden". Hope that helps.
*Thread Reply:* I don’t know if it’s possible. Y+ou could transfer them to another entity/environment...
*Thread Reply:* With Business Manager or School Manager you could create a new location and transfer some licenses to that other location "Trash location"
*Thread Reply:* Yeah, I have a location called VPP Parking Lot and move licensing there when it’s no longer needed or the app is no longer available.
*Thread Reply:* Holy crap great idea guys this has drove me nuts for awhile now never thought about doing this but will be implementing it shortly 😄
Hi All. Does someone know what is going to happen when I back up a device when it is DEP enrolled into one MDM (BB UEM) and them migrate it to another MDM (Intune) and try to restore it from the backup.
*Thread Reply:* @Dimi You're backing it up via iCloud?
*Thread Reply:* Nothing is set in stone , I need to come up with a process that would allow me to to transfer user data (contacts, photos, personal apps, etc) when I migrate devices from BB UEM to Intune.
*Thread Reply:* Why don‘t you just retire the device in BB UEM and enroll it to Intune? The device is still supervised. Disadvantage is that the user can remove the MDM profile. If you can live with that, I would prefer it.
*Thread Reply:* @Nico Hermeling I need a device to be DEP enrolled and Supervised. I believe factory reset is the only way to achieve this.
*Thread Reply:* surely it wont be supervised if you enroll it to Intune without DEP.
*Thread Reply:* It is still supervised. We‘re using this way for our migration projects
*Thread Reply:* After enrollment, the only way to turn on supervised mode is to connect an iOS device to a Mac and use the Apple Configurator (which will reset the device). You can’t configure a device for Supervised mode in Intune after enrollment.
*Thread Reply:* https://docs.microsoft.com/en-us/intune/remote-actions/device-supervised-mode#turn-on-supervised-mode-after-enrollment
*Thread Reply:* Here is the expected behavior (tested up to iOS 12, but I don’t believe this has changed in iOS 13): https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/
*Thread Reply:* @Nico Hermeling you saying the documentation is incorrect or am I missing something.
*Thread Reply:* Check it out on your own. If the device was supervised in BB and you just retire it there, it is still supervised
*Thread Reply:* If you back up a device with no management profile or a management profile from another MDM, then wipe it, DEP enroll it in to a new MDM and allow for them to restore previously mentioned backup, the device will not be properly managed.
As mentioned above, it’s probably just better to remove management without resetting the device and manually via Safari or AC enroll in to the new service.
The supervision will remain in the BB name, but that won’t impact management
*Thread Reply:* We tried doing this (DEP migraton without factory reset) 2 weeks ago but it's very hit & miss. Sometimes devices show as enrolled but no profiles are there. Other times we get profile installation failed. Sometimes they work OK.
But overall it was hit & miss unfortunately. This was from Workspace ONE to Intune.
*Thread Reply:* By the way the backup/restore method did work consistently but only if you don't do the restore during the setup wizard.
*Thread Reply:* @Tycho Does it tries to restore MDM profile and apps deployed via previous MDM?
*Thread Reply:* Yes it does if you do it during the setup wizard. It broke the intune process (which uses the guided mode)
*Thread Reply:* I didn't test this last bit out myself but this is what my colleagues told me
*Thread Reply:* If you do an icloud restore/iTunes restore from a device to a device with the same serial # is when you run in to trouble
*Thread Reply:* Yes, if you take a device managed by BB and back it up while managed, then reset that same device, enroll it via DEP to intune, but restore from that iCloud backup during the activation assistant, it will not be managed by inTune. If you restore that same back up to any other device, it will be managed by intune
*Thread Reply:* This chart doesn’t take in to consideration moving from one service to another, but that’s the same idea as having no management profile in this scenario
*Thread Reply:* @Matthew Shaver in the article you say: the assumption is that all management profile data backups and restores are going through the same MDM/EMM/UEM service, and not during the migration from one solution to another.
*Thread Reply:* Yeah, if you are migrating you’ll still hit issues - it will either restore the old management profile or have no management profile
*Thread Reply:* The rule of thumb is to avoid restoring if the serial numbers are the same and the MDM is changing. Instead just skip restore and have iCloud backup data sync afterwards. The only big items that can’t be recovered in that workflow are SMS and voicemail history - those are only put back via a restore
*Thread Reply:* I should say this could have all changed with iOS 13. I haven’t had an opportunity to do a fresh round of testing since it launched
*Thread Reply:* would be interesting what is now the fact in iOS 13
*Thread Reply:* It is still the same. DEP enrolment only works if you restore to another device. If you restore to the same device it restores the profile of a previous MDM.
*Thread Reply:* What we have started doing is deleting the device from the old MDM, then making a backup. The deletion removes the profile and then you can safely restore it.
It's a total PITA though 🙂
*Thread Reply:* @Matthew Shaver @Tycho do you know if this is it Intune specific issue or will apply to any MDM.
*Thread Reply:* It would also impact the same MDM if the device were moved from one APNS managed instance to another
Just an FYI for anyone who might not have seen this yet https://www.theverge.com/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh
*Thread Reply:* I’m sure they’ll fix it in 13.1.9 which will be out 10 hours after 13.1.8
*Thread Reply:* I’m still catching up on the freshly released 10.3.4
*Thread Reply:* anyone else catch that someone developed something for iOS that keeps location tracking alive persistently despite the background app being killed?
*Thread Reply:* We're seeing this on ManageEngine...app is killed, hasn't been opened in a day at least and it's still reliably reporting locations up to date, I've never had reliable iOS location trails from any other MDM. Anyone know anything about new dev functions for location ased tracking in recent iOS updates?
*Thread Reply:* Hmmm....I know we (Lookout) use the network helper to automatically wake our app up whenever the device moves or changes networks (VPN, wifi, cell, etc). It's fairly solid.
*Thread Reply:* ^That's interesting - I wasn't aware of that functionality
*Thread Reply:* @Andrew Olpin Didn’t the MobileIron client used to use location changes to keep their apps alive as well? It’s been awhile, but that’s what I remember them actually needing location services to accomplish.
*Thread Reply:* Yes, indeed it did. I think the difference is that the network helper allows for more than just location changes. It also includes networks changes, even if the device is stationary.
*Thread Reply:* MobileIron also changed their wakeup strategy to APNS messages. That's another option here, if the service is sending "keep awake" APNS pings.
*Thread Reply:* This is super insightful - would like to test MI out too as I'd rather present just about anything but ManageEngine to folks lol
*Thread Reply:* In MaaS360 for instance, getting accurate location info for an iOS device outside the first 24 hours of enrollment is exceedingly rare
*Thread Reply:* What, specifically, are you trying to do with the product? Is this for fleet management, or just basic back-of-house EMM?
*Thread Reply:* both really - a huge chunk of our client base is construction so fleet mgmt is a huge concern, we generally outfit them with Androids
*Thread Reply:* but some folks have already invested in iPads and deployed them
*Thread Reply:* Hmmm....I'd suggest you start with GroundControl (@aaron) and see where they can take you.
*Thread Reply:* I haven't kept up on all the ins and outs of the product, but back in my MobileIron days they were a great partner for fleet management.
*Thread Reply:* For basic MDM / EMM, I wa surprised at how much I liked Cisco's Meraki product. It doesn't have a lot of advanced features, but it was easy to use, and the user UI was solid.
*Thread Reply:* Also, a bunch of your customers may be using Microsoft Office 365, and may already have EMS licenses which include Intune. While I find intune a bit frustrating to use as an admin, for no-frills EMM it'll get the job done...and potentially with no added costs.
*Thread Reply:* Intune won't do location tracking... period
*Thread Reply:* @Paul Conaty Wait seriously?
*Thread Reply:* Yep. Lost mode only https://practical365.com/clients/mobile-devices/can-microsoft-intune-see-managed-mobile-devices/
@RamananScalefusion has joined the channel
Does anyone have a table in which "DEP / Supervised", "Supervised" and "non Supervised" devices are compared? What are the differences, which ones can be backed up and restored ?
*Thread Reply:* Back up is tricky though. It breaks DEP enrolment if you restore. You can only restore to a new device.
anyone else aware of an apparent 13.2 bug returning a "Device must be enrolled interactively" error - and then when going to reset via iTunes receiving error "Turn off Find My iPhone" ? These are brand new DEP devices, and may only be an issue when restoring from a backup with a previous management profile on it
*Thread Reply:* There is another thread floating around with this question - seems to be impacting every solution. We've opened an Apple ticket for it, but I haven't seen any traffic on it yet
*Thread Reply:* Yeah I saw first reports coming out of InTune
*Thread Reply:* just saw our own on MaaS
*Thread Reply:* Anyone heard more on this? MI Support hasn’t been able to draw any real conclusions. Not that I expect them to at this point.
*Thread Reply:* The only workflow on which we’ve been able to reliably reproduce the behavior is utilizing the proximity setup option
*Thread Reply:* We just saw another one with a brand new AT&T Device order. Restore was attempted
*Thread Reply:* Replacing with a brand new device
*Thread Reply:* Ugh @Justin Butts. That’s gotta be frustrating for carriers
*Thread Reply:* So replacing the device is the only solution to this?
*Thread Reply:* @Sharkey I’ve not heard anything official from Apple, but it sounds like that has been the only definitive way to fix the issue at this moment.
*Thread Reply:* Ouch. Just had one reported here
*Thread Reply:* Apple told us in their “We are Investigating” response to try a factory reset. Some workflows seem to reproduce more consistently than other - I can make it happen every time I use proximity setup for example
*Thread Reply:* We don't allow restores with DEP and an itunes restore did not help. DFU doesn't help either?
*Thread Reply:* Is the user restoring a backup or using proximity setup at all?
*Thread Reply:* I'm checking with the Telecom person
*Thread Reply:* They used iTunes to try and restore. She gave him a different device. I’m picking up the problem child device next week for testing.
*Thread Reply:* I would also ask them to try activating without doing the iTunes restore. I'd bet thats the culprit
*Thread Reply:* Probably so. But they already moved on :)
*Thread Reply:* Has anyone on this thread received any updates? Just trying to find some documentation/acknowledgement from Apple that I can pass on to my customers.
*Thread Reply:* Just an acknowledgement by Apple that they’ve received numerous reports and that they are investigating.
*Thread Reply:* Yay, FYI, 13.2.3 is also experiencing this. Pandemonium ensuing... wouldn't it be wonderful if people just bought more iCloud storage space and moved on with their lives without previous iPhone backups? Just sign in people...
*Thread Reply:* Just had a 13.2.3 device go through this process without fail...
Apple allegedly replacing devices and acknowledging a bug
logging into iCloud on browser and removing the device seemingly no impact
I get alot of questions from users on how to find their ABM/DEP/ORG ID (however you want to call it 🙂). To hopefully save some emails for the community, here is a video I made on how to find your orgs ABM ID and add a reseller to your ABM portal. https://youtu.be/Kif1sXJJAdE
@Michael Troelstrup has joined the channel
Semi tethered Jailbreak https://checkra.in/#release
@Wannes De Boodt has joined the channel
Do we have the ability to arrange a logical grouping of apps on a supervised device? I know this was not possible previously, but it’s been a while since I attempted it.
*Thread Reply:* @Woody you mean folders? Pages? Yes you can do all with home screen icon arrangement. Usually a standard EMM feature.
*Thread Reply:* @aaron Yeah - I just found it. Last time I was doing it, I was lending profile templates from Configurator. Now they’ve been added to the main list of iOS Policies in MobileIron. Crafting one now 🙂
*Thread Reply:* Keep in mind that any apps that are not listed in your profile will be pushed to the first empty space on screen. Also, web clips can’t be organized (from what I’ve seen/experienced).
*Thread Reply:* Webclips can be organized, but you will most likely need to apply custom XML unless it has been added to the MDM’s GUI.
*Thread Reply:* @DirkC - Yes sir! Current MDM (MI Core) has it included in the GUI.
*Thread Reply:* @DirkC Have you been able to get web clips organized? None of what I’ve attempted works. Could you share your success?
*Thread Reply:* The Home screen layout profile is basically a nested array of items. The web clips should be created within the profile itself to be ordered correctly.
*Thread Reply:* Oh. We can’t do that. I’ll test it out though. Thanks!
*Thread Reply:* Unfortunately web apps created by a web clip profile are not given unique identifiers 😞 Maybe Apple will make some change with a future update.
*Thread Reply:* Yup. That was why I couldn’t figure out how to do it. Makes sense when it’s in the same profile that you’d have more control.
so got abm connected to azure and now it says we have 468 people using @ourdomain for appleid and they could request to have them change it but I thought if I took the option to "Include “appleid” subdomain in each domain" this would avoid that issue?
*Thread Reply:* that seems to not work, I have a ticket open with apple to see what they say
Some interesting from Germany : https://www.comconsult-akademie.de/ios-im-unternehmen/
iOS sessions
QQ: have a VIP locked out of iOS as his passcode isn’t working. He swears that it was working today and stopped post reboot of his iOS (device MDM registered on AirWatch). As his passcode isn’t working and there is no network to clear the passcode via AW, has anyone successfully managed to send the command if the device is connected via a lightning to Ethernet adapter? Don’t have an adapter here to test unfortunately...
*Thread Reply:* Use a SIM card without SIM Pin. That way, the device will connect to cellular even before it is unlocked.
*Thread Reply:* Yes, I have had success tethering it to a network cable to get around the SIM lock
*Thread Reply:* SIM Card without SIM PIN is always the easiest way to fix this
*Thread Reply:* If you knew how fast Orange work here...anything we ask takes a month to get sorted
*Thread Reply:* I’ve ordered a lightning to Ethernet cable to get around this - delivery Wednesday
*Thread Reply:* Curious if anyone is seeing this behaviour as we’ve had a few reports recently that the passcode is not working post reboot ?
*Thread Reply:* As we force passcode renewal every 90 days, Is it finally being pushed due to big? Will have to extract the logs! Hopefully not late to get them before the cable arrives
*Thread Reply:* I’ve had varying degrees of luck. Only the cellular data is supposed to be locked after the restart, and the device should be able to connect to wifi if auto join was enabled, but I have trouble getting that to work in some scenarios (such as on captive networks). There really should be some sort of connectivity option on that lock screen after reboot.
*Thread Reply:* Wi-Fi is definitely not working for us
*Thread Reply:* And it’s a saved profile with auto-join
*Thread Reply:* I think I’m going to open a case with Apple enterprise support to get the definitive word on this...was reading that since iOS 12 they might have closed this Ethernet connection option
*Thread Reply:* The problem is that the device is still in a secure lock stage after the reboot. It does not connect to wifi until the password is at least entered once. We do see it on occasion on other MDMs but typically discount it as a user error. Never had it myself. With the recent iOS release bugs and a somewhat similar snafu on MacOS however (@Jason Bayton reported one here and i had the same issue) it just might be an iOS issue
*Thread Reply:* I can reproduce that behavior in Apple Configurator too - if I use that to reset the device passcode after a reboot - the console comes up with an error that the action can’t be completed. I asked Apple about this once and they said that the behavior for AC is different than if an MDM does the actions. THey said it should be able to connect to wifi (this coming directly from an engineer) but this runs counter to the behavior we actually witnessed. It’ll be interesting to see what they say to you
*Thread Reply:* I always believed that key material stored in the keychain is not accessible until the user enters the password following a reboot. At least that is my experience and always thought this caused the wifi not to connect. So my experience is indeed also opposite of what the Apple engineer said.
*Thread Reply:* Actually, it is even described by Apple in the ios security guide: https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.apple.com/business/docs/site/iOS_Security_Guide.pdf&ved=2ahUKEwi6ho7VkvTlAhVLa1AKHVNOAl8QFjAAegQIBhAB&usg=AOvVaw3Ujo8tzl-eehO9Buh7Q4iQ
Page 21.
An wifi password is only accessible after first unlock. Certificates are always accessible though. So i guess it depends on the Wifi network configured.
*Thread Reply:* Which tracks with it not working on captive networks - but if I use my mobile hotspot with a passcode on it, the action will work.
*Thread Reply:* I’ve opened a case to get a definitive answer on this and won’t let up until I have all I need. Let me know if there any questions you’d like answered around this topic ;)
*Thread Reply:* the only thing we observed since ios 13 is, that devices are sometimes slow when you try to enter your passcode. And if you enter the digits to fast, not all entries are taken, which results in errors
*Thread Reply:* Definitely noticed that! Also this here: https://www.theverge.com/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh
*Thread Reply:* Does the VIP have this issue with an iPhone or iPad? We recently had a issue where the iPad Pro with an Apple keyboard was defaulting to caps lock which is why the passcode wasn’t being taken. Again not sure if they have a numeric pin or complex but figured it was worth sharing
*Thread Reply:* Removing the pin from the SIM of my phone and putting it in the affected device allowed the clear passcode push to hit the device and thus resolved the issue...yes it really was that simple...who would have thought but for some reason my head was stuck in carrier mode and not disabling the goddamn pin from within the iOS setting...! Just awaiting log analysis from support!
Hi, I wanted to play around with User Enrollment, even though we don’t use Azure AD. I created the managed Apple ID myself in ABM and then followed the instructions under this link: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1910/iOS_Platform/GUID-F680F0CB-5BEB-4EDE-A885-72392AFE938C.html When I try to enroll the device, I receive an error which basically tells me that the account could not be registered and I’d have to contact the admin (myself). What is missing for me in the instructions, is the part where the WSO console comes to know about the managed Apple ID so that I can actually use it. Anybody in here who had some similar issues or maybe already sees what I’m doing wrong?
*Thread Reply:* Did you ensure that the OG that you are enrolling into has User enrollment enabled : https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1910/iOS_Platform/GUID-9759D1D5-D76C-4139-BF7A-8965F50E353F.html as well as require MDM agent for iOS is not enabled?
*Thread Reply:* „Your account could not be registered. Please talk to your system admin.“
*Thread Reply:* If you turn off user enrollment at that OG, does it work?
*Thread Reply:* Looks like you shouldn’t even get to the portion where it asks for a password when user enrollment is enabled at the OG.
*Thread Reply:* I dont believe that "User Enrolment" and the Azure AD // ABM connection are interlinked.
They are separate subjects not reliant on each other.
The Azure connection is just to that users can use their corporate credentials as their apple ID, and user enrolment is just a form of iOS "Work Profile" enrolment, which is not reliant on any specific corporate apple id.
**Turns out I'm wrong... :)
*Thread Reply:* @DirkC “User credentials are invalid”, is what I get then.
*Thread Reply:* Sounds like something is wrong with your user.
*Thread Reply:* @Simon Hardy-Bistagne Ah okay, thanks for claryfication. Still I’ll have to dig deeper in order to find out, how to make this scenario work for me.
*Thread Reply:* @Simon Hardy-Bistagne @Julio User enrollment requires a Managed Apple ID to function (MAID). You can either create the IDs manually, or federate to Azure AD.
*Thread Reply:* Workspace ONE UEM has the user install a special management profile that will have the user input their managed Apple ID email address an password within a special GUI. Sounds like Julio may be running into an issue with the user.
*Thread Reply:* Are you able to ensure that the enrollment organization group of the user is set to the OG where user enrollment is enabled and that a duplicate user account with the same email address doesn’t exist?
Has any of you seen User Enrollment fully functional ? Enterprise iCloud - not working ! Enterprise contacts , calendar and reminder also not ! What's going on ? #ios13
*Thread Reply:* The instrunctions on how to make it work without Azure AD in Workspace ONE are already a hot mess. Tried it yesterday and didn’t get it to work.
*Thread Reply:* works fine here in regards of the WS1 guide
*Thread Reply:* What if the email is already registered as a private Apple ID? Is there a solution for that? I mean the solution of course could be to use the recommended subdomain as an managed apple id.. like user@managed.company.com. I know there is no possibility to convert existing private apple ids into managed apple id (except having the user change the domain of the private apple id so the original email domain frees up)
*Thread Reply:* Learned yesterday, if it is a company domain that is assigned in ABM it can be claimed by the company. User gets informed and has 60 days to remove his personal data from it. After those sixty days it becomes a Managed Apple ID.
*Thread Reply:* Really? And this is triggered when creating that particular managed Apple ID?
*Thread Reply:* As far as I was told, yes. But would have to try it to confirm it. Got that info from a certified Apple trainer in an iOS 13 training yesterday.
*Thread Reply:* Very cool information, thank you. Will also try this.. On that same note: Do you know if there is a way to do a bulk creation or only one by one possible?
*Thread Reply:* Raised that same question yesterday. He said using CSVs that you can upload to ABM would give you that possibility. It would have to follow a specific template, that I haven‘t seen yet, but it should be possible.
*Thread Reply:* Federation is the best approach as local Apple ID creation, even in bulk may have unintended consequences when attempting to manage the services and access those ids have. For instance, I have heard anecdotally that local, managed Apple IDs have issues with User-based Enrollment. The success of enrollment is not consistent when using them. Whereas, federated identities tied to managed Apple IDs work consistently.
*Thread Reply:* Does it matter which IdP is in place? Like PingFederate, ADFS, etc? Is this just for Azure AD?
*Thread Reply:* @Julio after the 60 days the personal appleid gets assigned a random username , so that the company email can be used as a managed appleid. The personal doesnt auto transfer to managed
*Thread Reply:* But as far as I was told this feature works only for the federated authentication, not when adding managed apple ids manually or via CSv
*Thread Reply:* Indeed only for federated accounts
*Thread Reply:* Since you mentioned SSO.. at one point the user has to provide the password, right? Or can this be done seamless?
*Thread Reply:* Federated means that your users will use the existing password for the identity that is federated to ABM. For example, I have an ID called me@me.com. This identity is what I would use to authenticate and thus I would use the password associated with that identity service. Behind the scenes, Apple creates an managed Apple ID that is obfuscated from the user, but assigned based off of your ABM settings.
It seems that apps are allowed more time in the background since iOS 13.2.3 as reported here where they were being killed more often: https://www.theverge.com/platform/amp/2019/10/31/20942043/apple-ios-13-iphone-11-pro-ram-memory-management-app-background-refresh
@Florian FERRAND has joined the channel
@Carl Bjorklund has joined the channel
@Chris Avedissian has joined the channel
Does anyone know if it's possible to push a home page or bookmark to Chrome on iOS by chace?
Not to Chrome...
*Thread Reply:* Thanks Peter that's what I figured I hadn't found a way to do so but figured I would ask in case someone had some black magic up their sleeve :D
*Thread Reply:* Don’t know why they support App Config on Android but not on iOS
Does anyone else experience DEP sync issues? We have two customers with two WS1 On-Premise environments each(hosted in Germany), which all fail to sync new devices. Token refresh did not solve the issue.
Does the following sound familiair, when the iPhone is idle for a while notifications are not coming trough from message either sms or whatsapp. The phone is not on disturbed and when the phone is used recently everything Works fine
Hi all! Yesterday Apple released an updated online deployment guide for iPhone/iPad. https://support.apple.com/guide/deployment-reference-ios/welcome/web
*Thread Reply:* Nothing new in here, if you’ve been following the iOS 13 updates, as far as I can tell. But some documentation is more clearly written.
Anyone else having issues with notifications for new emails with the native client on iOS 13? Sync is set to push but certain devices only receive new mails when opening the mail client. Is there a know issue, never seen this before. (Exchange On-Premise with MobileIron Sentry & Core, Basic Auth)
*Thread Reply:* yes I've been having issues as well. I will sometimes have to force close the mail app to have it reload. Manual refresh will not work
*Thread Reply:* Up until 13.2.3 there where many issues with mail notifications. These are known issues with Apple and I believe most of it is solved now with 13.3
*Thread Reply:* Each release of 13 has address some sort of email issue hopefully 13.3 finally fixes the last of them but only time will tell.
*Thread Reply:* https://support.apple.com/en-us/HT210393
· Fixes issues in Mail that may prevent downloading new messages · Addresses an issue that prevented deleting messages in Gmail accounts · Resolves issues that could cause incorrect characters to display in messages and duplication of sent messages in Exchange accounts
*Thread Reply:* Few of my users have been facing issue deleting emails from their Apple native mail app. Deleted mails appear again in the inbox. They are all on iOS 13.2.
Hello all. I deferred iOS 13 through MDM. It's the first time I did that, so I'm wondering: on the 18., when the 90 days are reached, will the devices update to just 13.1 or can they jump up to 13.3? Assuming the deferral policy is still active on the device.
*Thread Reply:* Hi @Jeoffrey Burri! They shouldn’t update automatically. Rather, they will prompt the user to update to 13.0. The user can decline.
*Thread Reply:* https://support.apple.com/guide/mdm/defer-software-updates-mdm02df57e2a/web
*Thread Reply:* This example in particular: > For example, you have an iPhone fleet running the latest version of iOS 12 and you have applied a deferred software update payload of 90 days to all of them. As the table above illustrates, iPhone users begin to have iOS 13.0 offered to them on December 18, 2019, as 90 days have passed since the launch of iOS 13.0.
*Thread Reply:* You may consider removing the deferral restriction, so users are prompted for 13.3 instead.
*Thread Reply:* Thanks @aaron! My users are not allowed to decline any update I generously decided to offer them 🙂. I'll remove the deferral altogether since many bugs got fixed in the mean time.
*Thread Reply:* BTW. dont try combining deferal with allowing a specific version to update to. It simply doesnt work properly
iOS per-app VPN question for you... I know it is possible to apply per-domain VPN for Safari, but is it possible to route all Safari traffic via a per-app VPN? Is this as easy as putting an asterisk into the Safari Domains field?
Can anybody send me a screenshot with an enterprise iCloud icon / setting ?
Anyone have some links to the new DEP customization screens for iOS Apple is releasing? Videos etc.
I've seen them around but can't remember where by now 👀
*Thread Reply:* SimpleMDM allowed me to generate my own screen ... it’s there since 13.0
*Thread Reply:* Realize that, just looking for some demonstration videos etc
Did somebody know this ? Is the PushMagic within the iOS Backup ? Local / iCloud ?
@Wannes De Boodt has joined the channel
@Julian Brennan has joined the channel
Can DEP set device name similar to how Configurator does?
*Thread Reply:* @Sharkey Is that a config that is pushed post DEP wizard?
*Thread Reply:* Yeah. Part of the managed settings I believe.
*Thread Reply:* K. Trying to find it in MI Core. Don’t know if they included it in the UI
*Thread Reply:* It’s not a profile for sure. At least in WS1.
*Thread Reply:* I wonder if we can set a device name prefix and have it generate based on that…
*Thread Reply:* Possible in WS1. Not sure if it sticks in settings. Might have to set a restriction profile to grey it out.
*Thread Reply:* Where is it located in WS1? I’ve checked most areas in MI Core but perhaps I’m overlooking it
*Thread Reply:* Also have to either allow name changes (not applying the block profile) or be iOS 13+
*Thread Reply:* In MI Core as of 10.5 you can create a Change Device Name policy for supervised devices.
*Thread Reply:* Nice! I’ll get our DEV up to 10.5. Thanks @Almar Diehl and @Stephen
Does anyone already have experience with managed Apple IDS and using them for arbitrary Apple services? We are in the process of federating our main mail domain with Apple Business Manager. Existing Apple IDs using that mail domain need to be renamed or will be renamed automatically after the grace period. We currently have no idea if the new managed Apple IDs can be used in other Apple portals that we use as a company like Apple Dev network or Apple eCommerce portal. Did anyone already move through that process and can share some insights?
*Thread Reply:* We got the word that they should be able to be used everywhere, a couple of months ago there were some exceptions but not anymore
Anyone found a way to scan a QR code to join WiFi during iOS setup wizard? Looking to avoid handing-out a SSID/PSK for the network we’re going to use to enroll devices
*Thread Reply:* I don't think so, but you know people will figure that out in 2 minutes right? There's always a smartass in every office that will tell everyone the key and within a week every unauthorised device will be on it 🤣 (I know because I used to be one of those smartasses before I was in IT)
*Thread Reply:* I view QR more as a convenience feature rather than to hide the PSK
*Thread Reply:* @Woody why not create a temp wifi just for the enrollment with simple password?
*Thread Reply:* At one organization, I created a dedicated SSID named "Provisioning" open network, no PSK. It was throttled to 1mbps, and was filtered to only allow access to Apple, Google and the MDM. The WAP was tuned to low power that only spanned a radius of the provisioning rooms within the building.
*Thread Reply:* @Nick That’s actually more the direction we’re going. A Provisioning network with limilted access/bandwidth.. to be used strictly to ramp-up into EMM.
Hey all. Just looking to confirm iOS wifi password sharing would not share domain based credentials. We use domain credentials for corp wifi I should say.
Nettes Seminar (Deutsch) : https://www.comconsult-akademie.de/ios-im-unternehmen/
@Balaji Arumugam has joined the channel
Curious - Who’s gone down the path of entirely disabling use of iOS native Mail/Calendar/Contacts in favor of the Google GMail/Calendar apps (for use with GSuite)? Well received or not?
*Thread Reply:* Their is not a contacts app from Google you have to use the iOS native one
*Thread Reply:* @Stephen yeah, we were discussing that using CardDAV. My thinking is that the two aren’t going to integrate well
*Thread Reply:* Google's own advice is to use the native contacts and google account profile I am not sure how you would integrate CardDAV and would only do so with a really really good reason, once you have contacts you get mail and calendar so you might as well use them native plus all apps with a send email button go to native
*Thread Reply:* Right @Stephen? That’s my thought as well. Don’t mix/match
Hello, does anyone know if it’s possible to obtain the MAC address of authorised iOS devices through an API call to the ABM? We would like to pre-authorise all corporate devices on our WiFi network before starting their enrollment on WS1 UEM.
*Thread Reply:* Mac address is not a field that ABM gives out
*Thread Reply:* Is there a reason you're using a MAC filter? Spoofing a MAC address is pretty easy. Might work better to do something like certificate based auth, and have WS1 deploy the certificates and wifi config on enrollment.
*Thread Reply:* @Andrew Olpin Yeah that's exactly what we do. It offers great security.
But I suppose @Damian is looking to do this to facilitate the enrolment itself. This is actually a tough point for us too. If a device has no 4G (like most iPads we have) it's really annoying to get them onboarded because our guest network times out too quickly.
*Thread Reply:* Definitely, I would go with RADIUS auth using certs
*Thread Reply:* for enrolment i would suggest a dedicated enrolment SSID with minimal restrictions and then deploy the corporate SSID via MDM
*Thread Reply:* @Tycho Create a hidden "Apple Store" network without password. oops did i say that out loud? 🤔
*Thread Reply:* Should have explained a bit better! Our corp Wi-Fi is actually outsourced so it’s public in a sense that requires registration via SMS and only lasts 24h. We need to register all corporate iOS devices’ MAC address before enrollment begins. Might just have to poll our carrier’s database or export of some kind.
*Thread Reply:* roundabout option but if you had a simple secondary wi-fi box you could attach them all to then you could export the MAC addresses from there maybe
Has anyone heard of the below issue in the GA Version of iOS 13.3?? Any insight would be greatly appreciated. • New mail item arrives and notification is displayed on screen • Item does not appear in the inbox, but in the deleted items folder in an unread state. Appears to happen with users hosted in Exchange Online or Exchange 2010 on-prem. Exchange audit log shows a "MoveToDeletedItems" Action from the mailbox owner for the item.
@Melkon Torosyan has joined the channel
Does anyone have a source for documentation for the Apple ABM API calls
*Thread Reply:* My understanding is that the ABM API is only available to MDM partners and is not published due to them not being customer-facing.
*Thread Reply:* Other partners have some documentation as well but @DirkC is correct - you have to be a partner of Apple to have access to that.
*Thread Reply:* Maybe one day Apple will expose a REST API endpoint for public consumption.
*Thread Reply:* Actually it is documented here: https://developer.apple.com/documentation/devicemanagement/device_assignment?changes=latest_minor
*Thread Reply:* Or is that the legacy DEP Portal documentation?
Just started a thread on the workspace one forum if anyone wants to contribute? Thanks https://mobilxperts.slack.com/archives/C1V75UE76/p1580748855065200
@Patrick Hogeboom has joined the channel
How can i delete a complete ABM for my company permanently ?
*Thread Reply:* I believe the only way is to contact Apple Support
*Thread Reply:* @iMZ Out of curiosity ... why are you wanting to completely remove ABM from your company?
Hey guys can we legally virtualise a Mac? We need a Mac for Configurator 2 as we use the update and backup features.
*Thread Reply:* Legal? The OS itself is free. I use Mac VMs all the time for DEP deployment engineering.
*Thread Reply:* Thanks, was just checking if there was anything in the T&C's regarding VMs
*Thread Reply:* Haven’t read anything specific from Apple. Sure they would discourage it. If worried by yourself an old, cheap Mac mini. It will do the job.
*Thread Reply:* Can I ask what VM environment you are running? Wondering if we can store the VM on a network server and have USB passthrough to connect devices to the local machine
*Thread Reply:* I’m just running them in a Mac using parallels. Nothing fancy.
*Thread Reply:* I seem to remember that you are only allowed to run macOS on Apple hardware. You can use Parallels/Fusion/etc on your MacBook/MacMini but are not allowed to run the same VM in VMware Workstation on Windows....
*Thread Reply:* Thanks, that's the impression I'm getting too, plus the fact I think the Mac VM only runs on Mac hardware
*Thread Reply:* Ahh. You can actually get the Mac to run in a VM on Windows - so I've heard :)
*Thread Reply:* Yes you can do it with donk's unlocker on Windows, not legally of course.
Cool thing is on ESXi if you install it on a Mac it will automatically enable macOS guests.
*Thread Reply:* Yes as stated above its only “legal” to run OSX VM’s on Mac hardware and normally apple only allow host + 2 OSX VM’s under the EULA
@Niklas Jenslöv has joined the channel
@Bennie L. Callies, Jr. has joined the channel
@Anders Hermansson has joined the channel
@Bo Snitkjær Nielsen has joined the channel
On iOS, the GMail client is the best for my users. We don’t need any of the native apps. Prove me wrong 🙂
*Thread Reply:* native mail: great integration with your on-device services Gmail (or Outlook or other 3rd party): less integration with on-device services (maps etc) but perhaps better integration with backend services
*Thread Reply:* @Peter Mohr Oh, and… Google has GMail AND Google Calendar. Those will sync contacts to our user’s device for phone calls, right?
*Thread Reply:* @Woody maybe, but my point is integration. If you want your users to be able to use their contacts for Siri, for Maps, for other 3rd party apps etc then you might need to go Native. It also depends on your level of GDPR compliance 🙂 As an example, if you use MS Outlook and want to have contacts and callerId, then you need to enable iCloud sync for your contacts. This puts corporate contacts in a person iCloud <> GDPR compliant... Then you need to limit contacts to stay inside Outlook and then you have lost your users... Perhaps GMail is different, I don't know...
*Thread Reply:* @Peter Mohr Totally know where you’re coming from. My statement above was received from my counterparts who maintain our GSuite service
*Thread Reply:* @Woody 🙂 I figured. just trying to put in arguments to help you...
*Thread Reply:* but basically you need to choose between on-device integration and back-end integration
*Thread Reply:* I choose on-device integration whenever I can !!
*Thread Reply:* Great way to look at it though! The back-end integration in this case is less than existent. On-device is certainly preferred.
*Thread Reply:* Does GMail has CallKit integrated to identify the caller ID without syncing contacts to native contacts app?
*Thread Reply:* @Nico Hermeling even if it has CallKit I'd also like to be able use my contacts from Waze, Paypal, Messages, Maps etc... CallKit doesn't help there.
*Thread Reply:* It was a general question, not in regards of your point of view.
*Thread Reply:* I know 🙂 my point was that callKit is not super important (but relevant for sure)
*Thread Reply:* Google Hangouts support callkit, but GMail doesn't as far as I can tell. Google Contacts is synced using the "accounts and passwords" in native settings UI
*Thread Reply:* @Woody last point: GMail can't be configured using MDM on iOS (again, to my knowledge) and thus Native is better 🙂
We don't want/need users to do anything to get rolling. We'll set everything up for them
Does anyone know if iOS « user enrollment » allows the creation of a passcode for the « work » side? I can’t find info on this. We want to stop enforcing a passcode change on the entire change for our users on personal devices.
That’s a good Q @Damian. I need to get back to PoCing User Enrollment
Doubtful since Apple doesn’t want you to feel separated.
Well they are making efforts here so fingers crossed
"we don't believe in dual-personas" - some Apple dude (Jobs?) user enrollment is about privacy and not about dual-personas. There's no "work challenge" as Android Enterprise hsa
You may want to look if you can just stop requiring passcode changes security guidelines do not recommend it anymore
@Stephen yes. stop forcing users to change. make it longer (6-8-10 and maybe even add some complexity) and stay let it stay the same...
@Stephen You got a link to these security guidelines for iOS?
Not iOS specific they are general ones https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/ and they are not the only ones
*Thread Reply:* NIST recommended this in 2017, majority of companies are struggling to accept this new recommendation.
*Thread Reply:* check the NCSC guidelines on this. good reference https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
*Thread Reply:* also Cyber essentials have good guidance https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure
*Thread Reply:* relevant section of Cyber Essentials guidance Password-based authentication The Applicant must make good use of the technical controls available to it on password-protected systems. As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices. Users are still expected to pick sensible passwords. For password-based authentication in Internet-facing services the Applicant must: • protect against brute-force password guessing, by using at least one of the following methods: • lock accounts after no more than 10 unsuccessful attempts • limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes • set a minimum password length of at least 8 characters • not set a maximum password length • change passwords promptly when the Applicant knows or suspects they have been compromised • have a password policy that tells users: • how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet) • not to choose common passwords — this could be implemented by technical means, using a password blacklist • not to use the same password anywhere else, at work or at home • where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard • if they may use password management software — if so, which software and how • which passwords they really must memorise and not record anywhere The Applicant is not required to: • enforce regular password expiry for any account (we actually advise against this — for more information see The problems with forcing regular password expiry) • enforce password complexity requirements
Does anyone know an overview when to use the profile manager of macOS server and when to use Jamf, MobileIron or something else ?
Guys, Is there a minimum required version of Intelligent Hub for IOS 13. Logs show - MDM Break requested on device after update to iOS 13?
Any idea how we can add or access shared mailbox on ios devices via native email app if user is on O365..??
*Thread Reply:* As far as I know, shared mailboxes are not supported for ActiveSync. Outlook Mobile uses Exchange Web Services, which support it.
*Thread Reply:* Outlook app on O365 will do it
*Thread Reply:* Outlook > Settings > Add Mail Account (under Mail Accounts) > Add Shared Mailbox
@Viktor Dmitriev has joined the channel
Is it possible to configure the hotspot „APN“ for iOS devices with MI Core (cellular policy)?
*Thread Reply:* Should be, https://support.apple.com/guide/mdm/cellular-mdma34b7357/1/web/1
*Thread Reply:* Policies & Config / Configurations / Add New / Apple / iOS / tvOS / APN ?
*Thread Reply:* This APN config was deprecated a long time ago and only configures the APN, not the personal hotspot
*Thread Reply:* @Thomas B. Thanks, but it says nothing about the personal hotspot, only the main APN
Shared iPad for Business is live: https://support.apple.com/guide/mdm/shared-ipad-overview-cad7e2e0cf56/web
*Thread Reply:* I wonder how long until the big MDM's will support this new feature
*Thread Reply:* Shouldn't be too long as far as I've heard.... It's very much like EDU Shared ipads. Just minor changes in the admin part
*Thread Reply:* Business doesn't get the 200gb icloud chunk per user correct?
*Thread Reply:* will have to do some testing, we disable a lot of the cloud features via our MDM for data sovereignty concerns.
*Thread Reply:* @Roo Not anymore 😉
*Thread Reply:* Also included temporary sessions, like a guest account for iPad
*Thread Reply:* here is WS1 info on the subject: https://techzone.vmware.com/blog/what-are-shared-ipads-business
Does anyone know if it is possible to prevent sharing notes from the Notes app through Messages?
Here is the scenario; I am admining a group of iPhones that are not supposed to have Messaging of any kind but they need the Notes app. They have discovered that they can go to Notes and write a note and tap on the Share icon and then they can share the Note via Messages even though we have Messages Blacklisted and are not allowing iMessage. The question is can this behavior be prevented?
*Thread Reply:* By blacklisting I am guessing you mean you hid the messages app?
*Thread Reply:* Yes, I have it in the Backlist in Jamf Pro
*Thread Reply:* And DLP settings can't stop this? Allow open documents from managed sources in unmanged destinations set to false? I would think this would stop your issue
*Thread Reply:* Changing those settings doesn't seem to make any difference it the behavior.😢
*Thread Reply:* Notes won’t be flagged as managed, as it is a system app. I guess the only way would be to promote a thrid party note taking app, and deploy it via MDM to flag it as managed, then the open-in restriction should apply.
*Thread Reply:* But Mail, Calendar, Contacts and Safari do support manage/unmanaged settings even if they are system apps so perhaps a managed account in Notes will do the same (haven't tested Notes though) - But just because they are system apps doesn't mean that they can't handle managed open-in 🙂
*Thread Reply:* You are right, but they use either managed account or managed domains respectively, so that is why you can apply open-in restrictions to it. No such things in Notes though…
*Thread Reply:* Thanks for all the help on this
Does anyone here know if the iOS books app allows you to deeplink to PDFs in the app? We must PDF’s to the iOS Books app from our MDM and want to make it easier for users to find them. iBooks:// launches it but want something
*Thread Reply:* Are you pushing PDFs to iBooks? If so you can convert to ePub before pushing then use “itms-books://“ to open up that ePub possibly.
*Thread Reply:* Currently yes we are publishing PDFs. If we use “itms-books://“ what would the url of the ePub after be? The file name?
*Thread Reply:* iBooks:// also launches the books app but just want to show users the PDFs or ePubs we push down
Good morning everyone! Does anyone have any information on when (if not already) Modern Authentication will be supported in the Apple Setup Assistant for DEP enrollments?
Currently arguing with a buddy of mine who has it working for MacOS DEP enrollments, stating the same should work for iOS... but I'm not finding anything!
It is you do have to use the custom enrollment flow with mdm support
yes, moderne auth works in iOS 13+ and ipadOS 13+ it must be enabled in the DEP profile in your MDM
*Thread Reply:* Does SAML/Modern Auth need to be enabled for your MDM appliance as a whole, which is then extended to the Apple DEP facet for enrollment?
*Thread Reply:* Does not yet appear to be an option inside MI Core 10.6
Does anyone know if there is a bulk way to create managed Apple IDs? Use Case: We would like to enable FaceTime on hundreds or thousands of locked down WiFi-only DEP iPads. We do not have Azure AD in our environment. Ideally we don't want to create each account manually.
1.) Contact Apple to have your anti-fraud clearance reupped (this lasts for thirty day stretches).
2.)Create email accounts via iMacros. Just feed it a list of addresses via text file.
3.) Create iTunes accounts with a "free" account (No credit card attached, purposed for VPP). Use iMacros s here and feed the above created accounts.
4.) Verify iTunes account.
*Thread Reply:* OR if you have ABM/ASM but no Azure. Just upload a CSV file into the AxM environment and all the accounts gets created.
*Thread Reply:* Sounds great, but I can’t see where to upload. I’m probably missing something obvious. @Peter Mohr or @Jason can you post more details?
*Thread Reply:* https://support.apple.com/en-us/HT207029
*Thread Reply:* Does Apple Business Manager have the same feature?
*Thread Reply:* Ahh. I might have overlooked that SFTP is not supported by ABM. It only works in ASM 😞 dammit
*Thread Reply:* Mind you, I would also argue that AAD integration would probably be the default method for most organisations, so this upload wouldn’t be necessary?
*Thread Reply:* @Jason this would only be the case if you are using AAD as your primary iDP and of course your users havent set up Apple ID's with their email address previously.
*Thread Reply:* @danlux says he doesn’t have Azure AD. For shits and giggles, I just tried federating groundctl.com to our (mostly unused) AAD test environment, and Apple says there are 45 Apple ID conflicts. Curious, since we had at most 18 employees…
*Thread Reply:* @Ajay Patel @aaron I was talking about the more general case, sorry for any misunderstanding. I recognise that this won’t always apply, but it probably would be the default approach for most organisations looking at doing this afresh.
*Thread Reply:* Yes, especially considering the lack of any alternative.
*Thread Reply:* AAD being the only IdP integration is short sighted. Use standards based integrations rather than product specific integrations when it comes to identity (SAML, OAuth, OpenID, etc) would be much more viable for most enterprise customers.
Any one here an expert on Apple Purchasing program? It may be a silly query but it's confusing me a bit. Are the licensing options different for Mobile devices when compared to Desktop? If I need to roll out MS Teams app would i need an E1 license to get all the features on the mobile app too? Any help to clarify this is appreciated. Thank you all 🙂
*Thread Reply:* im not an MS License expert but O365 E1 should do the trick for teams since the app doesnt need to get licensed with ms (other than office). Just buy it in ABM for free. BUT you will need EMS/Intune licenses for security
*Thread Reply:* The apps themselves are free and will work in a read-only mode. When the user signs into the application, it will allow the user access to the application depending on the SKU you assigned to the AAD user.
*Thread Reply:* Might be different for macOS though. Application might refuse to function unless it is licensed.
*Thread Reply:* Thank you @DirkC, that makes sense. However we are currently using ABM with Workspace One.
Yes! We now have an SSO extension from Microsoft 🙂 https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin
*Thread Reply:* this is huge - do you know if there's a plst on what the config to the device needs to look like in case we aren't using intune
*Thread Reply:* For share device or for the SSO extension?
*Thread Reply:* ?? The config options are listed at the top. In the section "Enable the SSO extension with mobile device management (MDM)" https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin#enable-the-sso-extension-with-mobile-device-management-mdm
This is standard iOS 13 SSO Extension config parameters. No plist/app config required
does anyone have handy, I think it was WWDC last year, where Apple said we'd need Managed Apple ID's and Device Supervision to manage corp owned devices going forward?
*Thread Reply:* I don’t recall it being mandatory - just that if you want access to corporate style restrictions, the only way will be if the device is supervised, hence ABM/DEP enrolment.
*Thread Reply:* Apple is revoking the restrictions/controls over BYOD to protect user’s privacy
*Thread Reply:* As for Managed AppleIDs, I have not seen any mention of these being mandatory for anyone?
*Thread Reply:* The WWDC video you’ll be looking for is session 303: https://developer.apple.com/videos/play/wwdc2019/303/
not finding anything specific to managed Apple ID's in here just yet https://developer.apple.com/documentation/devicemanagement/restrictions
Oof I'm glad because there's many situations where Managed IDs aren't an option
Like in our case where the email address doesn't match the UPN
and we've been telling users for .... 3 years now to use their work account for their apple ID, conflicts ahoy!!
*Thread Reply:* That too.... You have to resolve all the conflicts when you sign up. Great, when you have 160.000 users and there's no API to automate it 😛
*Thread Reply:* yikes, you've got 10x the users, I can't even...
Hello iOS group, I would like to pose a question about whether the volume button can be disabled on a Supervised iPad. Use case is an app needs to always be on audio with no ability to lower or silence via the volume button. Cannot find anything in Restrictions using MI Cloud, and trying to figure out what options are available to disable. Love to hear feedback on this. Thanks all!
It’s possible if you use single app mode. Otherwise no.
Hey Aaron, so I can disable in SA mode only. Interesting because you would need to be in Supervised mode to get there. is that a SA mode feature or a Supervised feature? Hope you are well Aaron.
Hi Paul. It’s a feature of Single App mode, but that’s possible only when supervised… so… both? Anyway, here’s the actual documentation. These settings are permitted, but may not be visible in every MDM. https://developer.apple.com/documentation/devicemanagement/applock/app/options
The new iMazing Profile Editor includes these options: https://imazing.com/profile-editor
Had a senior moment / Noticed iPadOS kept trying to install the WebEx Add-in (for MacOS) whenever I was attempting to join company WebEx sessions. Apparently Safari on iPad OS defaults to requesting desktop versions of sites as of recently. Guess its part of trying to have iPadOS/MacOS unification. https://help.webex.com/en-us/WBX9000031720/I-m-Prompted-to-Install-the-Webex-Add-on-While-Joining-a-Meeting-on-my-iPad
*Thread Reply:* Yep, iPad OS identifies as MacOS in Safari. Started right away when iPad OS was introduced.
*Thread Reply:* Yeah! I do wish they would allow to disable that setting for selective sites, instead of across the board. I’d rather keep it identifying as desktop.. but only stick with “mobile” for WebEx
*Thread Reply:* This actually causes more issues. For example registering the device on MobileIron Cloud. When Safari is set to Desktop, the device will be seen by MI Cloud as a macOS devices rather than an iPadOS device. So be carefull with that desktop mode in Safari
*Thread Reply:* Yeah / I noticed that while I was enrolling to test Core + Access SaaS last week @Mark Vonk. I wonder if its possible to disable as a Supervised control?
*Thread Reply:* Same with Box (dropbox alternative). It prompts to install the compliance validation tool for Mac...
*Thread Reply:* Though I have to say, if programs are using the User-Agent header they are doing it wrong... It's nothing but a kludge.
*Thread Reply:* At least the browser makers are understanding that now too.. https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/
*Thread Reply:* Most vendors fixed this before iOS 13 went GA. Can’t believe Webex hasn’t yet
*Thread Reply:* Def a huge mess with user agent strings and will be interesting to see how Google’s move shifts things
*Thread Reply:* @Kiran Patel curious what vendors that addressed it used to identify the device as still being an iPad. Or if they went with the Client Hints framework?
Is anyone updated your apple devices to the iOS v13.4 ..any major issues?? As I can see issues with sound and banner notifications not functioning correctly after the update.
*Thread Reply:* Have an issue with full screen webclips in 13.4. It takes 10 to 15 seconds to open the webpage. Disabling the full screen option 'solves' the issue.
*Thread Reply:* I have an issue with the AirPods for outgoing phone calls
*Thread Reply:* We’ve seen that if Safari is set to private mode that our webclips for our enterprise App Store that uses CBA doesn’t work with no real error that helps an end user
Has someone an example pac file for APNS Access over proxy under iOS 13.4 ?
*Thread Reply:* Read the section about HTTP Proxy at the bottom of this URL https://support.apple.com/en-gb/HT210060 i assume this is what you refer to?
*Thread Reply:* Have you checked the test plan for Proxy PAC APNS on AppleSeed for It?
I don't have a ton of info at this point. and a single user so far. wifi only ipad refuses to join corporate AP • device has been wiped • multiple physical location attempted • multiple user accounts attempted • there is supposed to be a cert prompt that doesn't happen • date/time/timezone all check out is this an ios 13.4 quirk?
The device is enrolled in MDM? Perhaps the MDM is pushing a WiFi profile, perhaps with a bad password, to the device?
*Thread Reply:* enrolled in my corporate workspace one tenancy, we don't do a wifi profile
*Thread Reply:* networks insists they see it authenticating successfully.
*Thread Reply:* Maybe this: https://support.apple.com/en-us/HT210176
Who knows wich MDM actual support the temporary session for Shared iPad feature ?
*Thread Reply:* The only thing for MDM to support is to disable the guest login. Do you mean that?
*Thread Reply:* Ok, but why didn’t i see the shared user option on my iPad (supervised, DEP, 13.4) ?
*Thread Reply:* Ok, hmm , i enrolled my iPad with DEP via Apple Configurator :(
*Thread Reply:* Airwatch has not added support for Business use for shared iPads yet, they say it is coming in a new console coming in a few weeks https://blogs.vmware.com/euc/2020/03/what-are-shared-ipads-for-business.html
*Thread Reply:* MobileIron will add it in near future too
Hey all, is there any way to add emergency contacts as a webclip on iOS? Any one tried this? I am hoping to be able to apply the contact itself as a dialer
*Thread Reply:* Hi. You should be able to add a webclip with a <tel://|tel://> link.
*Thread Reply:* Tried this out, seems like Safari blocks this out after I cancel the call three times. Then I have to accept thrice to allow it. Not a very reliable idea I guess. Now just looking for a way to permanently disable this block. 🙂
I'm sure you've seen this security issue in the iOS mail app that was published yesterday: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/ Is anyone taking action based on this?
*Thread Reply:* Yes, this looks pretty bad, but since there is no patch available its a big decision for organisations. Most likely Apple will release a patch for this within few days, then it doesn’t seem reasonable to start migrating users from Native app to Outlook/Gmail.
Options from Exchange ActiveSync:
There is speculation about iVerify app being potentially able to detect this attack.
*Thread Reply:* Mitigation actions that I am aware of are: • Update to latest beta 13.4.5 using Apple Beta Software Program • Disable auto sync- Go to Settings > Password & Accounts. Set Fetch New Data to “Manual” and disable “Push”. • Use Safari or dedicated E-Mail clients such as GMail and Outlook
*Thread Reply:* Agree with you @Alo Press, no point in rushing to migrate people to a brand new app as they’ll address and patch in a very short window
*Thread Reply:* Also curious to know if any of the email content that can trigger the vulnerability made it past SPAM/Junk filters of any of the major Email players.
*Thread Reply:* Question is given the severity of the apparent severity of the vulnerability, will Apple release patches for iOS10/11/12 or are all iPhones prior to the 6S now a huge liability?
*Thread Reply:* I’d guess they would touch them all, but to be safe I’m forcing out devices that don’t support 11, 12 or 13
*Thread Reply:* @Alo Press great input 👍 Switching to manual sync and disable push - that would only avoid automated actions but if the user will use the mail client we are back to square one, right? I am not sure what actions we should really take - like you guys mentioned migration to another app is a pain - specially for us. We us KCD with MobileIron so Outlook is out of the game. Email+ and Notifications is a pain if no VIP notifications are configured.
*Thread Reply:* Thanks for the great input. Given the (hopefully) near release of 13.4.5, our main action right now is to prepare end-user communication to get the devices updated as soon as possible
*Thread Reply:* We just had an internal huddle on this as well. Wanting to refrain from a knee-jerk reaction, especially with so many of our workforce being remote during this time, Would rather continue as-is and use Supervision to push the patch, knowing Apple has a fix in the pipeline.
*Thread Reply:* Fun part is that I’m dealing with “Google Nation” over in our shop, so they take shots at iOS every chance they get
*Thread Reply:* Same here Woody!
*Thread Reply:* Maybe I'm reading this wrong but based on Apples response to me it sounds like it's coming as a patch to iOS 13 rather than an Apple Mail app patch. So if I'm understanding that correctly the only way to be secure will be to go to that latest OS release or use a third party mail client. https://www.theverge.com/2020/4/24/21234163/apple-ios-ipados-mail-app-security-flaw-statement-no-evidence-exploit
*Thread Reply:* iOS Mail app only ever gets updates in an OS update that I have sern
*Thread Reply:* Was anyone able to find evidence of this in the iOS/iPadOS 13.5 release notes yesterday?
*Thread Reply:* Hey @Woody did you ever come across anything saying it was actually patched. I see 13.5.1 is out but I still haven't been able to find anything confirming its fixed
*Thread Reply:* https://support.apple.com/de-de/HT211168
Hi folks, I have to deploy a web clip on coronavirus alerts to our iOS devices. The problem I have is that they open with Safari by default. The link is hosted on O365 and as we can’t secure Safari we block login.microsoftonline.com and instead use the Microsoft Edge browser which is secured via Intune MAM. Any way around this? Thanks
*Thread Reply:* You could secure Safari :-) or you can Use:
microsoftedgehttp:// or microsoft-edge-https:// in your web clip
*Thread Reply:* Thanks! Could you expand on “secure” ? 😊
*Thread Reply:* Sure. You can limit what Safari can be used for with a few different tools:
*Thread Reply:* 1-3 is build into iOS.. 4 is an additional agent of some sort
*Thread Reply:* Yeah we studied Safari domains at the beginning of our project and there were some issues there. Can’t remember off the top of my head but we do currently use it for internal sites just not for O365. We also have DLP deployed but in testing this didnt apply to Safari and we for example we’re still able to download attachments from login.microsoftonline.com not sure if there are certain restrictions we missed there but it was all tested in conjunction with VMWare professional services.
*Thread Reply:* Regarding the edge scheme that didn’t work - it just opens in Safari with this part even though I added the url after it: Microsoft-edge-https and nothing else. Can you add an example of this with the full url in case I’ve missed something ?
*Thread Reply:* yeah, you can’t block download of attachments in Safari per domain, that must be done server side, BUT with Safari and DLP you can control WHERE those attachments end 🙂
*Thread Reply:* Use this: Microsoft-edge-https://my.fqdn.com/vdir/
*Thread Reply:* you must remove the normal http:// and https://
*Thread Reply:* I did, will have a look after my lunch 😊
*Thread Reply:* ok. I just tested again. works for me 🙂
*Thread Reply:* Probably white space 😉 I’ll check in a bit
*Thread Reply:* Just need to work out how to leverage Edge on Android for the same need
*Thread Reply:* Created a web app for AFE but wondering how to force it to open Edge
*Thread Reply:* @Damian should be something links this:
microsoft_edge:<https://www.google.com>
but haven't tested this just now.....
*Thread Reply:* Tried that variation and get “Enter a valid URL”
*Thread Reply:* I’ll keep looking, in the meantime adding the guru here @Jason Bayton
*Thread Reply:* Yep, not the same as Android though lol
*Thread Reply:* These guys have gotten it to work too: https://stackoverflow.com/questions/31909274/launching-microsoft-edge-with-url-from-code and https://stackoverflow.com/questions/59846066/url-scheme-to-call-the-microsoft-edge-app
how are you building your links on your device. Using mail or text or MDM or ?
*Thread Reply:* I tried from Chrome within “Work” and it doesn’t work
*Thread Reply:* Tricky. Webview is based on Chrome and that's how these apps launch, I'm not sure it's possible to swap out the underlying engine like this.
*Thread Reply:* However...when I opened Edge in work for the first time I get this which allows me to choose Edge as the default browser. I wonder if it’s opening Edge or Chrome inside the web app. I’m going to block Chrome from the O365 url and see what happens
*Thread Reply:* It's a webview application, the chrome webview engine superceded Android's AOSP webview for GMS devices some years back so even if another browser is default, this still opens in Chrome webview and requires Chrome is on the device.
*Thread Reply:* @Jason Bayton any concerns using Chrome “Work” for access to a single O365 url - our restrictions are pretty tight.
*Thread Reply:* No, managed config for Chrome will allow you to blacklist everything and whitelist only your chosen domain. The webapp will respect that also
*Thread Reply:* Domain/URL/wildcard that is. Not just domain
*Thread Reply:* Yep we control that already with our device traffic rules. On another note, blocking chrome on that url also renders the web app blocked and so is logical as per your previous comment. Thanks for taking the time to respond - appreciate the insight and have learned something today. Thanks to @Peter Mohr for his efforts 😉
Hey all, has any one created custom profiles for iPhone sound?(ring and message tones) for MDM?
*Thread Reply:* Following. AFAIK, there is no capability to do this in iOS.
Hi guys, anyone aware of issues with DEP Macs going into recovery mode? have a customre reporting about 20 macbooks having this issue in last 2 weeks
Hi every one, hope you all are doing alright. 🙂 Can any one recommend a third party app for APNS notifications. Certain apps don't work so well when on standby and do not receive notifications so I needed ideas on what third party apps can be used to provide just push notification to these devices? Or does it HAVE to be embedded in teh app SDK alone?
Has anyone payed attention to this vulnerability on iOS devices and what can we do with MI Core?
https://world-today-news.com/another-zero-day-vulnerability-in-ios-apps-can-break-out-of-sandbox/
*Thread Reply:* Thanks for sharing @Mikey2000
*Thread Reply:* This is due to be addressed in 13.5 (which is in Beta 4). I’d guess they’ll have it releasing as quickly as possible.
*Thread Reply:* Agree.. let’s see if they will release it mid may. Not sure if there is anything you can do right now anyway!
*Thread Reply:* really interesting exploit. link is in article @Mikey2000 posted but just in case here is the detail https://siguza.github.io/psychicpaper/
*Thread Reply:* no evidence apps would get past App Store checks though so risk is probably low for managed corporate devices
*Thread Reply:* @Mikey2000 MTD would detect this anyway with Elevation of Priviledges threat
*Thread Reply:* Was anyone able to find evidence of this being addressed in the 13.5 release notes yesterday?
*Thread Reply:* ZeCops confirmed 12.4.7 & 13.5 fixed
*Thread Reply:* https://twitter.com/zecops/status/1263516074634440706?s=21
*Thread Reply:* Haha / I bet ZecOps was waiting patiently for that proof
*Thread Reply:* https://blog.zecops.com/vulnerabilities/hidden-demons-maildemon-patch-analysis-ios-13-4-5-beta-vs-ios-13-5/
*Thread Reply:* Since the updates are out now, how do you block versions which are lower than 13.5 and 12.4.7 with one security policy - I guess thats not possible since there is only one dropdown field. Suggestions for MobileIron Core?
-Use two security policies and use filter labels which target the specific versions - if this is possible
-Use the version check in a compliance policy instead the security policy
*Thread Reply:* I’d create 2 labels using Model and OS as conditions, and apply 2 different security policies, one to each label
Has anyone played around with this new DLP feature from Google? https://gsuiteupdates.googleblog.com/2020/04/ios-dxp-data-exfiltration-protection.html
*Thread Reply:* Curious what tech it uses to compliment an existing MDM scenario
*Thread Reply:* looks very similar to Intune app protection (MAM) controls
*Thread Reply:* It's all within the Google apps so prob not using any native capability
*Thread Reply:* Agree @Paul Conaty. Probably messy to administer alongside iOS native
We want to push a managed app config for Safari (or other browser) to an iOS device with MobileIron Core, so we can set bookmarks and other settings. Is that possible? Any experiences?
*Thread Reply:* depending on the URL it will open one or other browser
*Thread Reply:* http;// and https:// always opens Safari
*Thread Reply:* Great input - thank you 👍✌️
*Thread Reply:* Can I run a webclip in Single App Mode?
*Thread Reply:* If you are on Mobileriron, you can use their Web@Work browser. That one does allow for bookmarks configured from Core
*Thread Reply:* Right Mark, thanks. Sorry I forgot to mention I am looking for a browser which I can run in single app mode (one website) and maybe SSO - and W@W is not supported in Single App Mode (at least that is what the MI support told us)..
Fun one: Backed-up kids iPads to iCloud (iPad Mini) and restored to new iPad Air units. Everything went swimmingly, except the fact that it did not restore the proper screen-time lock code. Anyone else encountered this?
Alright, figured this one out. Moved from Devices running iOS 12 to 13. Didn't realize the iCloud Family Sharing dictates the Screen Time lock code across the Child's account #SeniorMoment
what's everyone's thoughts on disabling the activation lock if a device is enrolled into ABM? Personally i cannot see the need to have the activation lock as the DEP enrolment process would stop anyone in their tracks if a device was stolen (as long as its not removed from the ABM portal).
*Thread Reply:* Activation lock requires the prior user’s Apple ID name and password when a device is set up. It locks that device to the user. But every DEP device is owned by a company, not an individual user. Why give users power over the company like that?
I agree. Turn it off always.
*Thread Reply:* @aaron agreed, yet i still see SOO many customers with this option enabled and i couldnt think of any genuine reason as to why
*Thread Reply:* Bad feature design compounded by poor UX? Call it “Apple ID password lock-out” and nobody will enable it. Even better, never show this in any MDM. Supervision already disables activation lock — this feature defeats supervision and forces activation lock on.
*Thread Reply:* I’m in agreement. I’ve racked my brain for use cases for this and can’t seem to come up with any viable reasons 🤷♂️
*Thread Reply:* We have a use case where people trade in their DEP device at an Apple Store to get $ for a personal device. Apple will accept the trade in unless AL is enabled. MDMs can enable AL but our MDM (WS1) doesnt support this yet. I realize this may not be super prevalent but it has happened multiple times
*Thread Reply:* My Apple SE suggested we enable AL with our MDM to help prevent people stealing/re-selling. VMware said theyre working on implementing this MDM feature. I didnt realize its in beta until i looked up the command: https://developer.apple.com/documentation/devicemanagement/activation_lock_a_device
*Thread Reply:* i never noticed this feature isnt available in WS1!! It's available in most MDM's already if im not mistaken?
*Thread Reply:* I thought the same. I know other MDMs have it. Whats confusing is based on the link above its still in Apple beta but maybe it has some new changes in beta. WS1 can allow/disallow AL but they arent able to set it. When I opened a VMware case they said theyre working on supporting it though.
*Thread Reply:* Having it in DEP and assigned would prevent use after theft as well.
*Thread Reply:* I’ve also used DEP to catch thieves.
*Thread Reply:* I think we saying is that it makes it able to use it doesn’t actually activate it
*Thread Reply:* Although if you enable that and then are allowed to use find my iPhone on the iPhone wouldn’t that actually just turn on activation lock?
*Thread Reply:* I’ve never actually tried because I’ve never actually enable that setting
*Thread Reply:* Hey @Peter Mohr that setting is to allow/disallow the user to enable AL. WS1 doesnt support enabling AL via MDM during DEP enrollment
*Thread Reply:* looks like SimpleMDM supports MDM enabling AL and their description of it is, well simple. https://docs.simplemdm.com/article/124-activation-lock
*Thread Reply:* I mean technically there is no actual setting on the iPhone that turns on activation lock, activation lock simply gets turned on via find my iPhone. Turning that setting off just tells iOS that activation lock is not allowed so it doesn’t turn it on.
*Thread Reply:* @brob true, WS1 doesn't enable AL. But with this setting I can allow the user to enable AL (or not). User can always use "Find my"... just without the AL...
*Thread Reply:* How would WS1 turn on AL. To which AppleID?
*Thread Reply:* Simple MDM is saying that you need an Apple ID and password set on the device in order to use it. That means you have to sign in iCloud which means you turn on find my iPhone that you cannot just turn on activation lock on its own
*Thread Reply:* Ahh. got it: If activation lock was enabled by SimpleMDM at the time of device enrollment, the Apple ID of the administrator that generated the Automated Enrollment (DEP) server token within Apple Business Manager may be entered.
*Thread Reply:* We were having a lot of employees trade in DEP iOS devices at Apple Stores. I reached out to my Apple SE to see what we could do and he said we should use our MDM to enable AL so the Apple Stores wont accept the trade ins anymore. VMware said theyre working on supporting it
*Thread Reply:* Weird that Apple doesn't just check to see if the device is DEP enabled and then don't offer trade in
*Thread Reply:* no kidding, i was surprised that they dont
*Thread Reply:* i havent heard of anyone trading in a mac but i dont see why they couldnt
*Thread Reply:* ah nice, what cn is that. i just checked cn135 and i see where i can enable it…
*Thread Reply:* You are trying to solve an hr problem with a policy that will make other issues, a better tack may be the fact your employees have a fraud problem saying the device is theirs
*Thread Reply:* ah, cn135 is on of the dev cns and its on 20.6
*Thread Reply:* So you need managed Apple IDs I imagine.
*Thread Reply:* I’m still at a loss why apple Stores would take a device that comes up with remote management 🤷♂️
*Thread Reply:* I don't think you need MAIDs. Just the admin/DEP token MAID
*Thread Reply:* I wonder if that is policy or a badly trained store
*Thread Reply:* i agree with everyone 🙂 i dont see the harm in forcing AL although id have to test it
*Thread Reply:* Retail isn’t the best at following policy
*Thread Reply:* i checked and none of the stores check for DEP
*Thread Reply:* The harm is when devices get wiped they get asked for the password
*Thread Reply:* Also moving devices between users becomes a real mess
*Thread Reply:* And then Apple has the power to remove it from DEP. that’s just maddening.
*Thread Reply:* yeah true, not sure about how to handle that. i guess we could get the bypass code but thats a help desk call at least
*Thread Reply:* agree, whats worse is we have no indication when apple or carrier/resellers remove devices from DEP
*Thread Reply:* adding tons of complexity and failures (those codes do not always work) without much reward
*Thread Reply:* Yeah. Bypass can be obtained from the console. Provided you don’t delete the record, even after unenrolling.
*Thread Reply:* The real thing to address is why your workers are stealing phones in mass
*Thread Reply:* Interesting chat fellas. Gets some ideas in my head :)
*Thread Reply:* good point Stephen. i’ll bring this up to my manager. Apple recommended it as a way to prevent stealing so trying to follow through with investigating/testing
*Thread Reply:* right I agree, people are stealing and HR needs to take action regardless of what IT can do
*Thread Reply:* It is worth noting I come from a protect the data is key, not really caring about the devices value mindset
*Thread Reply:* Yep, the devices are cheap in my shop. .99 cents cheap.
*Thread Reply:* in all but rare ones yep, they can buy the expensive ones but almost no one does
*Thread Reply:* And if you don’t have it when you leave or need an upgrade. We make you pay the replacement cost which is full value.
Apple still has not released security patch notes for 13.5 which is way longer than usual for no security notes
FYI An excellent discussion of ways to distribute internal apps: https://mobilxperts.slack.com/archives/C1V75UE76/p1590150374343500
Force iOS Updates via MobileIron Core without WiFi - devices receive the message that update is only possible with a wifi connection. Is there a way to update without wifi?
You can update without wifi. It depends on your carrier (-settings). Apple negotiates this for each carrier and puts the limits into the settings of each device. How to check??
iOS OTA updates They are not limited by Apple, they may be limited by carrier bundles. To find out if this is the case, here is how you can find out if your carrier is limited:
Sharing here too! https://mobilxperts.slack.com/archives/C1V75UE76/p1590743160456300
*Thread Reply:* Do you remember the thread I created around this a while back about managed apps being offloaded? Crazy...😆
*Thread Reply:* So is Apple going to include a MDM control to prevent managed apps from being offloaded?
*Thread Reply:* That’s the idea however unsure as to how they are going to achieve that exactly!
*Thread Reply:* I bet my balls that they will include the control only for Supervised devices...!!!
*Thread Reply:* I already told them that this doesn’t concern supervised devices in our case so it’s a “global” change.
*Thread Reply:* I also just checked my supervised test device and I don’t see an option there to offload unused apps
*Thread Reply:* Unless that is controlled by some obscure setting in the restrictions profile
*Thread Reply:* I def recall hearing that if it was a managed app it wouldn't get offloaded. Crazy this is still an issue. Did this recently regress in an iOS 13 release?
*Thread Reply:* It’s been like this forever...the fact that one of our VIP users got wiped due to the compliance policy based on hub being removed was the last straw...
*Thread Reply:* Just got confirmation from Apple that this is fixed in iOS 14 beta which was released last night! Need to test ASAP
@Ricardo Bouwkamp has joined the channel
@Joe McDonald has joined the channel
Which MDM rules do you use to detect, prevent or hinder jailbreaks of your devices early on?
*Thread Reply:* Detect via MDM or MTD. Prevent stop unknown developers, unknown sources, ADB (simply stop sideload and debug). Early action via local actions of MobileIron, so no roudtrip over servers are needed. Since the most containers depending on device encryption/security (face/finger unlock, real time notifications, weaker implenentations like Microsoft) wipe on jailbreak is done regardless of container or not.
*Thread Reply:* I would add prevent installation of config profiles by users and - depending on your threat model - also block USB/Lightning data access.
Does anyone of you have an overview of containers like Boxer and/or a recommendation when to (not) use them ?
*Thread Reply:* if you need the extra security or have usecases native cant do, use containers. If you want native things like callid in car on iOS simply work and be GDPR conform, native is better. in the end most implementations are mixed.
*Thread Reply:* The containers are tied to mdm, so its not really useful to only look at them
By chance… Does anyone happen to have stock footage of a DEP device enrolling with custom enrollment and Okta as the IdP for enrollment into the MDM?
Enquiring to know more about this Certification - GIAC Mobile Device Security Analyst (GMOB), anyone already completed and has more information? Possible to share tips and tricks ?
@Vlastimil Turzík has joined the channel
Does anyone have any recommendations on how to easily clear up cached/temp files on a managed iPad? Is it possible to do this remotely thru an EMM or is their an app everyone recommends that can be deployed and used by a tech on site for this purpose?
*Thread Reply:* What problem are you trying to solve that needs those to go away since that is not a thing for iPads there is no clear cache or temp files button
*Thread Reply:* User has some how maxed out the storage on the device (all 25gb) so its either an app cache or browser cache. I'm still waiting for a tech to get hands on with the device to get more specifics but trying to figure out options ahead of time.
*Thread Reply:* Also since the device is out of storage its preventing it from taking OS updates as well.
*Thread Reply:* clear cache is not an iOS option, also it is usually pictures browser cache is better behaved than that
*Thread Reply:* Ya this looks to be a specific app that was causing it. Removing and re pushing the app down fixed it for now.
Going through some Apple DEP this morning and the Passcode screen is requesting for a Strong Passcode with 6 or more characters and 4 Special Characters. Where is this setting enabled? I can’t see it from an MDM DEP Profile (Intune) perspective… Is this new? The solution for now would be to skip the passcode screen. (Re-posting in the right channel)
*Thread Reply:* You should post in the #microsoft_endpointmanager channel
DEP question! Anyone elses devices getting stuck at "awaiting Final configuration from xyz org" and not proceeding? All was working fine earlier this week, no changes to the mdm profile and using Endpoint manager.
*Thread Reply:* Not me. Working fine for us.
*Thread Reply:* Spmetime we have seen. Try resting again and see. And don't push so many apps in auto mode ....
Did I see that correctly that SCIM has now gone live for ABM and has left the beta ?
Hi All I am trying to change the default search engine of Edge browser deployed on iOS from my Intune MDM (default is Bing and I don't want it). Any suggestion?
*Thread Reply:* I do not think that option is available. See: https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#utilize-app-configuration-to-manage-the-browsing-experience
*Thread Reply:* I do not see it listed in the app config either
Does the edge browser support any kind of app configuration changes?
*Thread Reply:* App protection policies or App configuration policies? Yes to both
*Thread Reply:* So if edge browser support app config from the mdm then you should see if there is a key value pair for default search engine in edge. (I assume you are talking about changing the setting in edge browser away from bing to something else like DuckDuckGo?)
*Thread Reply:* Yes: https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#utilize-app-configuration-to-manage-the-browsing-experience
But not a setting to change the search engine
*Thread Reply:* Time to open a ticket with MS. It is kinda up to them to make that option available.
@Suresh Gopi Kolluri has joined the channel
@Ville Raassina has joined the channel
Hey all, we have a large group of people that use their iPhone's to hotspot when working in the field. We are seeing an uptick in calls regarding people not being able to connect to their hotspot. Currently in the middle of writing a troubleshooting document and one of the steps I was going to include was to reset the network settings. What I noticed is when you perform a reset on the network settings it also resets the device name back to iPhone. This is a huge problem for us. We use MobileIron to manage our devices with filtered labels and in order for the filtered label to work properly the device name needs to be set properly or else the device won't get picked up properly. Currently we have device name changes restricted so the user wouldn't be able to do this themselves.
Has a network reset always had this behavior of renaming the phone when performed?
Why are you resetting the network? That should be rarely needed. (I can’t remember the last time I have needed that and I use hundreds of devices annually and weekly I have 3-5 different devices on my hotspot alone.) Do you know the reason the hotspots are failing?
*Thread Reply:* We are attempting to reset the network settings as a troubleshooting step. This isn't impacting many of our phones but enough for them to start asking for help. We are still trying to determine why their laptops are having problems connecting to their iPhone's hotspot but the connection simply fails. Issue doesn't seem to be specific to a certain model iPhones and iOS versions vary between iOS 12 and 13.
anyone here any good with in house iOS apps and provisioning profiles. (i am in no way an app developer). Have a customer who's profiles are due to expire and the certificate is due to expire also, when they have selected a new certificate in their developer portal and upload the new profile into their MDM they get an error saying the certificates do not match. is there a specific way they should be renewing their certificate without having to re-wrap their app and re-deploy it from scratch?
*Thread Reply:* Provisioning Profiles can be renew'ed on-to-fly. Certificates always requires a new app deployment. One of the many reasons why Apple actively tries to switch to Custom Apps.... Look at https://developer.apple.com/videos/play/wwdc2020/10667/
*Thread Reply:* thanks @Peter Mohr thought that was the case! I did try to push the csutomer down this route but they are yet to leverage ABM and still quite old school in their deployments
Is anyone having issues with AC2 and adding devices to ABM/DEP ? I'm struggling with 2 Mac (Catalina + Big Sur) and 2 ABM accounts from 2 different organizations.
*Thread Reply:* I was getting the error : "MCCloudConfigErrorDomain – 0x80EF (33007) The cloud configuration server is unavailable or busy" on AC2 while trying to add devices to ABM. All my troubleshoot was made with 2 devices, and I finally found that those 2 devices were the issue : 1 was already tied to an ABM tenant (I didn't know about), and 1 was unassigned but not released from another ABM tenant (I thought it was released previously). TLDR; You get this error when you try to add a device that is already assigned or unassigned to a MDM in an ABM tenant.
https://9to5mac.com/2020/09/11/ios-14-iphone-google-chrome-default-browser/
*Thread Reply:* Wonder if they'll incorporate a config to set that remotely via MDM
That’s available with the latest public chrome version
*Thread Reply:* Nice, I see Firefox and Edge are late to the game!
*Thread Reply:* More like abiding by the rules you are not supposed to support features in beta versions till release per Apple rules
*Thread Reply:* I believe it’s only a profile entitlement so it’s not really a new API, that’s probably why it was published.
*Thread Reply:* Not yet for Outlook
*Thread Reply:* @Damian now working with Edge
@Werner von der Ohe has joined the channel
Apple has gone ahead and done the unthinkable regarding MAC address randomisation! Even if the MAC address was changed to private after an upgrade to iOS 14 it should have kept the physical MAC address as per our tests and confirmation by Apple during the entire beta cycle right up to beta 8 and that we had absolutely nothing to do on the MDM side. However they changed the behaviour from beta 8 to GA so the damn MAC address is no longer the physical one...now all our users have to uncheck this to get access to our corporate Wi-Fi. Things like this really piss me off...
*Thread Reply:* Apple broke all my DEP tokens Tuesday when they flubbed the license agreement.
*Thread Reply:* What do you mean by broke? I just accepted the agreement on the ABM - do I need to check something here??? 😧
*Thread Reply:* They were supposed to have the agreement out Tuesday and instead they brok the portal all morning. In that process my tokens were revoked.
*Thread Reply:* How does it show revoked on the console? (checking mine now)
*Thread Reply:* Or if you manually sync from lifecycle
*Thread Reply:* I can only look in DEP for some of them does it say there?
*Thread Reply:* And your new devices would not be syncing
*Thread Reply:* I do dep for groups who manage their own mdm so wanted to check in DEP (yes it is all the same organization don't ask) not seeing revoked and seeing new sync dates in ABM so I should be good right?
*Thread Reply:* I just synced devices on WS1 UEM - no error
*Thread Reply:* They are making changes in ABM and ASM too without mentioning it. Some UI stuff etc. Typical Apple.
*Thread Reply:* I want my field to mass upload serial numbers or spreadsheets back it is not good for trying to process getting rid of lots of devices, also the UI for adding a device by order number got way way worse
*Thread Reply:* Yeah. They are changing it all up. Scary
*Thread Reply:* Okay good lol I just linked it to our Intune environment and went to move a device over to start testing and was like WTF did I do lol
*Thread Reply:* Seems you can paste bulk serial numbers into the small field
*Thread Reply:* Ya I searched for the S/N of my test device so I could move it from WS1 to Intune. Hopefully they fix ABM before others in my company notice and call me freaking out lol
*Thread Reply:* How do you get the IMEI search? I did not see a field or get results in the main search window
*Thread Reply:* Download all you devices via csv
*Thread Reply:* seems about right for Apples new UI
*Thread Reply:* @Damian, there’s a setting within Wi-Fi payload for iOS 14 that allows disabling MAC Address randomization.
Which UEM product do you use?
*Thread Reply:* Maybe a Feature Request for your vendor?
*Thread Reply:* We use Airwatch aka WS1 UEM and we already tested this custom xml which works but it’s a false alarm on our end as we weren’t getting the right info - just panicked users
*Thread Reply:* This setting is intended for all those using NACs
*Thread Reply:* so I was surprised while reading you
*Thread Reply:* I use a NPS server via CBA/TLS but there mac address is not relevant
*Thread Reply:* So to confirm, the physical address doesn’t change but you will see the private address checked - it was only happening when users uncheck the wifi connection and if they recheck they are given a private address and lose the physical one - this is the behaviour we are seeing now
*Thread Reply:* I cannot say. Maybe someone using a NAC can confirm it
*Thread Reply:* fwiw Apple did update the ABM release notes last month: https://support.apple.com/en-us/HT208802
*Thread Reply:* Apple mentioned this in the AppleSeed events too
*Thread Reply:* I would have to disagree with their claim of improved bulk management
I’m seeing a bunch of people with crashed iPhones doing the update. Fun times.
*Thread Reply:* We had some too. Anyone got any other issue with this update ?
*Thread Reply:* Weird. I had the smoothest/quickest major version upgrade to date. What are the symptoms/issues?
*Thread Reply:* On our side, it was an issue with DEP devices and not iOS 14. Some had to be wiped after the upgrade since they were locked at the authentication prompt. Renewing DEP token solved the issue. I haven't heard about any other issue during this upgrade, except the one about apps not ready for iOS 14 (but I didn't experience an app not working because of this).
*Thread Reply:* Were they getting stuck at an Apple logo or refusing to restore even with iTunes?
*Thread Reply:* What have you been doing to get people going? I have had a couple reports out of a couple hundred updates which is high for Apple
*Thread Reply:* They have to use iTunes to update it and it finishes
*Thread Reply:* Toughest part is iTunes is not allowed on our laptops 🤷♂️
Howdy folks! I’m just wondering how everyone is currently managing BYOD iOS devices from a MAM O365 perspective? Do your security/compliance teams require that your BYOD devices have a passcode enabled and so this requires MDM? From what I’ve understood, Microsoft MAM offers encryption at rest but not in transit when compared against BlackBerry Dynamics for example. I’d be interested in how this is evolving for all of you as our users are complaining that with MDM we can do what we like? We’re also starting tests on end user enrollment -to offer better privacy and less admin controls whilst Apple works with other providers like Microsoft to give us dual mode :)
*Thread Reply:* In the APP policies you can enforce encryption. It uses the device encryption which, on iOS, means the user must have a device password. If you set it up that way, MAM enforces a device password, without having to MDM enroll.
*Thread Reply:* You sure it’s possible to enforce a passcode on the « device » without MDM ? I mean have you tested this and not just read a document 😉
*Thread Reply:* Has this always been the case as we setup our infra/policies back in 2017 and were always told we needed to have MDM
*Thread Reply:* obviously you can also specify an app password for the O365 apps
*Thread Reply:* Google are now removing the ability to set a device passcode in WP or COPE in A11 so it looks like app based or container based auth is the way things will go for anything other than fully managed devices regardless of OS
*Thread Reply:* It works differently: you require encryption and MAM Intune SDK encryption on iOS depends on device encryption. Device encryption on iOS requires some form of pin or password. This is default iOS behavior.
Check: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios Quote: “When you enable this setting, the user may be required to set up and use a PIN to access their device. If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app."
This has been the case for a long time already. Dates back to the time APPs supported app data encryption.
*Thread Reply:* So no need for MDM, This encryption rule on MAM just enforces the user to set a pin or password. Works perfectly for some of my customers.
*Thread Reply:* @Paul Conaty we already force the users to set a PIN on all MS apps with biometrics allowed.
*Thread Reply:* I’ll throw something else into the mix here. We also deploy some 3rd party apps which don’t have a PIN ability like MS MAM so imagine we deploy without MDM (we use WS1 UEM btw) and the user decides to install one of these apps without first installing a Microsoft app so no device passcode check!
an iOS device running 14.0.1 has an old mail profile deployed by MDM. After removing the Device Management profile, the mail profile still exists. (Account shows up in Settings, but there is no delete button).
I tried erasing/resetting the device and restoring from iCloud, but it also restored the mail profile. (Backup Mail was not selected).
Any idea how to remove this corrupted profile without losing the user’s data/apps?
*Thread Reply:* Have you tried removing the Apple Mail app and then rebooting and reinstalling it from the App Store?
*Thread Reply:* didn’t work 😞. It left all the accounts there, but left it in an “inactive” state
Interesting @brandobot. So the Exchange config was basically orphaned?
yep.. nothing shows up under Settings >> General >> Device Management or Profiles, but the Mail account is still there and not able to be removed 😞
I recall something like this happening back in the day. There was a way to forcibly remove it. I think it came in the form of a custom MDM XML/Policy you deployed to go in and fetch/remove said orphaned payload
This happens to me when someone uses the “no limit” option. Basically it stalls and chokes one removing the huge database of mail and never finished the profile removal. iOS still reports it gone to MDM though. Lesson learned: never use no limit.
I remember using something like imazing to get rid of the profile. But that requires the device in hand.
We have an iOS app from a software developer. The app is not published in the AppStore, but the developer claims that there is a way to deploy private apps via VPP. Not sure how this can be done.
Yes, this can be done via Custom Apps. The developer needs to publish the app in the AppStore and add your ABM Customer ID to it to make it only available for your company. The app will then show up in ABM as a custom app and can be added to your VPP.
See: https://developer.apple.com/business/custom-apps/
Apple wants to get rid of Enterprise developer id's. Smaller companies that request a enterprise developer id's do not get one anymore. Custom apps are the future. Advantage: no need to renew profiles every year. Profiles of custom apps are valid for 30 years. Disadvantage: harder to use alpha/beta versions of apps.
Custom Apps will also still go through Apple Review - so hopefully your developer fancies dealing with that (including providing demo accounts for the review team).
Beta testing of custom are done through Test Flight. However this process can not be managed by MDM.
Anyone hearing complaints about ios 14.01 and battery life?
Disable the Covid-19 bluetooth scanning & broadcasting (c.f. Exposure Settings in the Settings app)
https://micky.com.au/fixing-the-ios-14-battery-drain-problem-will-require-a-factory-reset/
I really hope they fix that in an iOS update
13th October - Apple will officially announce their new iPhone line up
Hey, I remember someone here was able to invite people to AppleSeed, is that person still around? Thanks a lot
*Thread Reply:* no need... Anyone with a managed appleID can log in to AppleSeed now...
*Thread Reply:* AppleSeed provides access to "Enterprise" resources for beta updates, e.g. change logs & test plans with a focus on features used by companies. You can log in with a managed AppleID at appleseed.apple.com
@Matthijs Schut has joined the channel
I did search the channel and I apologize for the very vanilla question. I have a client that is now being forced to MFA their appleID across multiple generic devices. I suspect there is no external authenticator app for iOS that would help in this case?
*Thread Reply:* Hey! No there is no app for Apple ID MFA.
*Thread Reply:* What about some kind of google voip phone app so they can share a number to receive SMS?
*Thread Reply:* I’ve tried in the past to get texts to a similar app from apple and they always failed to send it. They are on to you.
*Thread Reply:* You can add up to 6 cell numbers to the same AppleID
*Thread Reply:* that’s how we do to handle more than 5 admins on ABM
*Thread Reply:* we have added several cell numbers to each admin account. The same limit should apply to regular AppleIDs.
*Thread Reply:* Did anyone tried to setup a Twilio number with redirection to other numbers ? Wonder if that would work
*Thread Reply:* missed this, sorry @Raul.Does it hit all 6 numbers at once or cycle through them?
*Thread Reply:* When you login to ABM, it will prompt you to choose the cell number on the list.
You can add 6 cells to each admin account ( ABM allows up to 5 admin accounts(
Sorry for the question - I know this topic has been discussed many times before, but I can’t find the old conversation in here.
Backup/Restore process with DEP Enrollments scenario: We use MobileIron Core with iOS. Devices are enrolled, but most of the devices are not supervised. If the user receives a new device, the new device will be enrolled via DEP and the backup from the previous device should be restored via iTunes (or sometimes iCloud) backup. Yes I know, consumer feature..
So - using the restore option during the setup should be fine to keep the device in supervised state or will this cause issues? Or do we need a temporary device for the restore? Could someone outline the correct process for me?
*Thread Reply:* Backup from unsupervised device restored to Different Supervised device will be OK.
*Thread Reply:* Backup from unsupervised device restored to same device that now is supervised will break Supervised mode
*Thread Reply:* There was a bug sometime back within iTunes restoring DEP devices. Does it matter if we restore from iCloud or iTunes? But restore only during the setup assistant, and not afterwards right?
*Thread Reply:* I will let others confirm.
*Thread Reply:* Restore only during setup, anything else creates a huge mess.
Is there some iOS MDM restriction that would possibly prevent a certificate-authenticated IKEv2 VPN connection?
You can block the install of config profiles. If you know the Cert there might be optioins but i would need to dig into it a bit
You can block vpn connections you did not send
I'm actually just trying to get an IKE working. ASA accepts the connection and authenticates the certificate. Device then drops the connection immediately. It's a fairly constrained COBO configuration, so assuming the ASA is configured properly, I'm wondering why an iOS device might do that. Wondering if I blocked it with some setting somewhere. The certificate is pushed by MDM.
Does anyone use Exchange O365 using Oauth for email etc using the iOS native clients? If so what is the experience with reauthentication? We have mixed results whereby some devices prompt for authentication nearly hourly, some daily, some very randomly.
iOS backup question - does anyone know if its possible to restore a non DEP device to a supervised device using the setup manually option (bluetooth)
*Thread Reply:* backup from same device when it wasn’t supervised or from a different unsupervised device?
*Thread Reply:* If you restore a backup from the same device when it wasn’t supervised, you will break supervision
*Thread Reply:* backup from an old device (iphone 7 - non DEP) to a new device (DEP iPhone XR)
*Thread Reply:* That will not break the supervision
*Thread Reply:* But do you know if it will still work through the manual restore process and not an iCloud backup? I don’t have any devices to test just yet so was wondering if anyone had been through this process
*Thread Reply:* What do you mean with Bluetooth? The Quick Start feature? If yes, never use that with devices you want to manage, it‘s build for consumer usage.
Finding that MDM push notifications cannot be sent to an iOS device when an Always-on IKEv2 VPN is active. They work fine if the Always-on checkbox is turned off, and the user toggles on the VPN. All other traffic flows fine. The full 17.0.0.0/8 range is open on the firewall, and ports 5223 and 2195-2197 are open. I see other examples of the problem on the Internet but no solutions. Best I figure it's an Apple bug, and just not many people use an Always-on IKEv2 VPN.
I assume port 443 is allowed from the device to Apple? Because that is the default for APNs now.
Nick, AOVPN is a hard tunnel to deal with. You cannot proxy the APNS traffic successfully (This is where I see most breakdowns) also if you are attempting any type of break and inspect you kill the solution. I would suggest reaching out to the business AppleCare line if you have the ability, they may have more insight. also ensure that 5223,443, and 2197 are open (You said they are but just saying it). also ipv6 blocking? just trying to cover the options. also 2195/2196 are no longer used.
Thanks @Todd Cole. It ended up being the ISP blocking the APNS ports - something you don’t see very often, but understandable in this special circumstance.
If I release iOS devices from ABM, that shouldn’t have any impact on the devices already in use until the next time they factory reset right?
*Thread Reply:* Correct. Same applies to moving device from one location to another.
For anyone who is supporting taking payments on an iOS device: How is compliance being implemented or maintained with the PCI requirement to inspect devices before they are used for tampering or substitution? As part of PCI requirements, client wanted a weekly report to show location tracking of DEP enrolled iPads (cellular) in WS1, which, even with Hub installed and location services on, I have not been successful with. Any ideas?
*Thread Reply:* We have tried scalable payment solution in past and it was awful. But that was years ago. Main problem was that Apple was not interested in helping or discussing how solution could be improved (with one of the biggest retailers in UK) We went with Android and custom in house app for tracing and reporting.
Sharing here in case any of you are using Workspace ONE UEM
*Thread Reply:* This was affecting us big time Damian. Thank you for sharing!
@Conal Murphy has joined the channel
Have you looked into Federation with AAD for ABM? If so, what are your thoughts? There is a lot to unpack with the settings that Apple takes over for managed Apple IDs and using existing domains.
*Thread Reply:* We’ve got it running and we like it thusfar.... it does have some downsides even with a small amount of users.
*Thread Reply:* Do you use it with 1:1 deployments? Are you only using it for shared iPad? Curious the use cases you've applied.
https://www.apple.com/business/docs/site/OverviewofManagedAppleIDsforBusiness.pdf
@Justin Butts search for conflicts
Anybody activated just SCIM in ABM yet and synced users 'between' AAD and ABM? After syncen assigned AAD users appear in ABM, but without federeated auth, how can you use these synced users, which now are managed Apple ID's within ABM? Are these users able to authenticate within Apple services with their AAD password as well? Read several articles, but they are all describing about this sync feature, nice but how are these managed Apple ID's usable after syncen....?
You can’t SCIM requires federation. In fact if you set up SCIM before federation it’s just set on pause until you enable federation
*Thread Reply:* Ah, great makes things clear, was a bit confused by the Apple documentation as it mentions to configure SCIM first and than federeted auth. afterwards. So SCIM is an addition to federated auth, but you can't use it as 'stand alone'?
*Thread Reply:* SCIM is for updating user info (create, update, delete) and federation is for authentication (and just-in-time creation of users)
*Thread Reply:* The difference was clear, but after reading several blogs I noticed that SCIM and fed auth were described as separated solution and could function separated from each other, at this point I started doubting. Thanks, have a nice weekend!
I've had a couple of users get bit by the Apple ID Account Recovery process, where they have to wait a few weeks to reset their password and can't use their device(s) during that period either. Is there a way to avoid this, such as federation of IDs? It makes IT look bad even though it's out of our control.
yeah, you have two options.
A) Stop using AppleId for anything in the enterprise. Use VPP Device-based licensing, Use web-enrollment and DEP where possible
B) Migrate to Managed AppleIDs (MAID). With that you can provide, using SCIM and federation, a very nice user experience with admin benefits. MAIDs also provide support for both Shared iPads and User Enrollment but MAIDs can’t purchase apps in Apple App Store, so you still need to provide VPP apps and user might not seen this a 100% replacement of their old personal AppleIDs
and perhaps C) Don’t care. Ask users to call Apple and sort it out.
VPP per device is sweet. Users don’t even need an AppleID on device
True, but you don’t require supervised 🙂 Works on device enrolled devices.
yeah, but users still have to say OK to each app you push from UEM. VPP is good to forget about AppleID, which is a big advantage, but if you want the best UX, you also want Supervised mode
Is there a site where I can find currently supported iOS versions? I’m trying to determine what is considered end of life.
*Thread Reply:* Apple have a list on their site.
• iPhone 11 • iPhone 11 Pro • iPhone 11 Pro Max • iPhone XS • iPhone XS Max • iPhone XR • iPhone X • iPhone 8 • iPhone 8 Plus • iPhone 7 • iPhone 7 Plus • iPhone 6s • iPhone 6s Plus • iPhone SE (1st generation) • iPhone SE (2nd generation) • iPod touch (7th generation) iPadOS 14 - Apple (UK)
• iPad Pro 12.9-inch (4th generation) • iPad Pro 11-inch (2nd generation) • iPad Pro 12.9-inch (3rd generation) • iPad Pro 11-inch (1st generation) • iPad Pro 12.9-inch (2nd generation) • iPad Pro 12.9-inch (1st generation) • iPad Pro 10.5-inch • iPad Pro 9.7-inch • iPad (8th generation) • iPad (7th generation) • iPad (6th generation) • iPad (5th generation) • iPad mini (5th generation) • iPad mini 4 • iPad Air (4th generation) • iPad Air (3rd generation) • iPad Air 2
*Thread Reply:* I use Everyi.com for their Maximum iOS Version for iPhone, iPad and iPod touch article which seems pretty reliable for older devices.
@brandobot Typically Current-2 is a good stance to take. Even then, the -1 and -2 versions are still only receiving critical patches, not new features/etc
So iOS updates can't be downloaded via cellular, which makes sense, but does anyone know if you push an update via MDM if that overrides the restriction? My two cell enabled iPads are completely up to date, else I'd try right now.
*Thread Reply:* MDM will not override, but you can’t generalize that OTA updates are not working/allowed over cellular. It depends on the carrier. Some carriers restrict the download and some don’t - It’s part of the carrier settings. Even if the carrier allows unlimited OTA updates (we have 1 here in Denmark that allows that; while the others only allow smaller OTAs) there is a short (2-3 weeks?) blocker where an update is only available on Wi-Fi. After this period the OTA settings kick in. (try to set your date to some date in the future and test :))
*Thread Reply:* @Peter Mohr thanks for the great info!
I'm curious has anyone had reports from their users about having issues sending emails with attachments after upgrading to iOS 14.3? I've had 5 tickets alone from end users this week so just curious if this is a trend others are seeing?
*Thread Reply:* I looked at the apple forums and saw an issue with attaching pictures in Mail since 14.x. Not sure if that's the same issue you're having.
*Thread Reply:* Thanks for the response Ray about an hour after posting that I got a report from an Android users as well. We are going thru an Exchange upgrade currently and that team is dragging their feet so it appears to be something on their end so will see when they get around to actually fixing it. In the meantime I guess I'll just try and calm down the annoyed users lol
Does anyone have any experience with using Jamf but also managing other UEM products? For basic Apple management (ABM/DEP/VPP) is there any additional benefits that Jamf brings to the table? It's one that always crops up in large deployments but i've never actually had hands on time with it
*Thread Reply:* I have used many MDM to manage large and small deployments of Apple devices. Jamf is one of the best MDM’s out there. They are very responsive to new features, they have great automated enforcement, and being “Apple only” lets them focus. They have one of the most complete MDM’s meaning of the “available MDM features” Jamf has implemented most of them. I have used most of the major players (IBM, VMWare, Microsoft, Moysle, Kanji, Meraki, and many others) and Jamf time and again comes out on the top of the list for features and usability.
*Thread Reply:* thanks @Todd Cole - i think im going to spin up a trial and have a bit of a play around with it
*Thread Reply:* Jamf pro is great but you can get a basic idea with the free JamfNow account
Catching up on iPadOS and Kiosk Mode--Did it receive any enhancements in iOS 14 that allow for more than a single app to be used?
*Thread Reply:* I think I know the answer to this, but better to ask than to respond incorrectly 🙂
*Thread Reply:* Hey @Barbra Conner look--I’m threading! 😆
*Thread Reply:* My preference is to accomplish this with Home Screen/Dock, and App Whitelist/Blacklist configs. Just wondering if the Kiosk mode was enhanced any more since inception
*Thread Reply:* You can hide/disable apps (internal & 3rd party). All except the “Settings” app. Inside that you can disable many thing a user could click but not all. Perhaps this it good enough for your use case?
*Thread Reply:* @Peter Mohr Is what you described attainable using Kiosk or was that via the other configs I mentioned?
*Thread Reply:* Just trying to determine if there’s any superiority to using Kiosk vs all the individual configs
*Thread Reply:* Its a restriction policy… We use it all the time on shared devices
*Thread Reply:* Okay, that’s the angle I’ve been working as well
*Thread Reply:* So “Multi App Kiosk” but done using misc configs instead of a singular config (Like Single App Kiosk)
*Thread Reply:* only real issue is the settings app. Lock as much as you can down with restrictions and hope for the best 🙂 Generally works fine. You can always find fingers that wants to toggle anything… This is not Single App Mode…
*Thread Reply:* Temporary session on Shared iPad might be interesting to consider
Does anyone know if (as-of iOS 14) there is an MDM control to allow/disallow “Prevent Cross-Site Tracking” in Safari?
*Thread Reply:* Not according to the documentation on configuration profiles
*Thread Reply:* @Mark Vonk Yeah, that’s what I’m seeing. Apple pretty much prevented it from being touched all around on iOS/iPadOS (unless the user goes in and manually changes it)
Am 26.1. Gibt ein drei Tage Seminar (ONLINE) zu iOS 14 (MDM, ABM, ....) https://www.comconsult-akademie.de/ios-im-unternehmen/
Hello, anyone impacted by the iOS 14.2+ and MDM-deployed app crashing issue? https://github.com/xamarin/xamarin-macios/issues/10086#issuecomment-738237870 We've been dealing with this for a while, and haven't heard really any updates from either Apple or MS, aside from the blame game. Current fix is to stop distributing app from MDM, direct user to public app store to download app, works every time, just hard in dedicated device scenarios where no iCloud account exists and the app stores are blocked.
*Thread Reply:* I know I'm late to the ball on this ... but yes, we're in the same boat. We had to go back to the developer of our app and ask them to fix the issue. The biggest issue for them was the "trampoline" issue. We're hoping that this week they'll release the update that's going to fix this for us. To add, we tried other alternative solutions, nothing worked.
Lets hope that iOS 14.4 (beta 2) will fix this issue 🙂
*Thread Reply:* anyone got any idea when this will go GA
*Thread Reply:* Twitter says Tuesday this week 🙂
*Thread Reply:* My Apple POC advised that this was a developer issue. We went back to the developer and they advised that they were working on the "trampoline" issue that will fix this issue. The app update is currently in the works and hoping that an app update is coming out this week for this.
*Thread Reply:* I guess they don’t have to fix “trampolines”. Just update to 14.4 tomorrow
*Thread Reply:* @Jordan Philip thought you'd like to see this.
*Thread Reply:* Update ... still no iOS 14.4 for today
*Thread Reply:* @Ray Domingue I guess we just had to be patient https://www.theverge.com/2021/1/26/22251149/iphone-update-14-4-fixes-exploited-security-vulnerabilities
This is the best news I've read this week. Thanks @Peter Mohr you made my day
Okay, so my efforts to find a way to disable Cross-Site Tracking came up empty. This setting is clearly here to stay.
Does anyone have recommendations on best practices for those writing/hosting their own apps?
The best piece of advice I’ve found thus far is to keep the website and the api on the same domain, e.g. https://web.mydomain.com and https://api.mydomain.com.
*Thread Reply:* Definitely, i’d say host the website on www and your app on api. You don’t want to use www for both, as it might be two different servers (like a wordpress for the www and something else for the app)
*Thread Reply:* Using two different domain mydomain.com and yourdomain.com will end up being a nightmare for user tracking, sessions, seo ...
*Thread Reply:* @Jeremy agree on all fronts! Thanks for the response. I know the design of the app isn’t technically in our realm, but I’m trying to provide guidance as best I can
Friends! Ayone with similar experience with managing iOS updates in MDM? https://mobilxperts.slack.com/archives/C1V75UE76/p1611907747036100
*Thread Reply:* I'm currently using this feature now in WS1 and have been ever since they released the ability to do so. For us at least its been pretty straight forward and typically works with little to no issue. Only time I normally see failures is if the battery is too low, device is low on storage, or they are on cellular and once the device connects back to Wi-Fi it usually corrects its self and completes.
*Thread Reply:* The one issue I have with this setup though is I can't force it to devices that have a lock screen pin enabled. On those I can push it down and have it ready but like you mentioned the user than has to accept the update before it will install. I wish we could both force that and force the download over cellular so I could get these updates rolled out quicker.
*Thread Reply:* Don´t you ever get the "Unable to install..." error message (see images)
*Thread Reply:* If users are seeing that it's never been reported to me. Also as you can see I started my roll out of iOS 14.4 on two days ago I first deployed specifically to a small group of iPads that actually needed 14.4 to fix an issue with an app developed on Xamarin platform along with a few other smaller test groups. The mid afternoon yesterday once I was sure it wasn't causing any issues I pulled that deployment and re-deployed using a smart group I created to push this to all available devices corporate devices and as you can see from the screen shot its flying thru them pretty quickly all things considered.
*Thread Reply:* It's possible the devices that are showing as failed are getting that error but I'm going to assume they are not at this point because when I look up that list they are all cell phones used remotely and that team has been instructed to keep Wi-Fi off when out and about doing their job because other wise it breaks their VPN connection (or so I'm told) so in order to stay connected and avoid multiple logins they stay on cellular all day long but are supposed to connect to Wi-Fi when they get home at night and pull down any pending updates. They clearly don't do that every night or I wouldn't have so much red on that chart 😄
*Thread Reply:* Also we are a SaaS customer on Version: 20.11.0.7 (2011) not sure if that matters or not but worth sharing since you are running into issues. Maybe someone smarter than me here will chime in with what might be causing your issue.
Hey There!,
I’ve found that Outlook for iOS is very bad when we talk about contacts.
Basically, customer can copy contacts from Outlook for iOS to iOS Contacts app, but users cannot add new contacts from device or edit them and sync back to Office365/Exchange Online.
The best practice from MS (now) to set up contacts only sync in Native Contacts and then disable sync from outlook to native.
Can this be configured remotely or does it requires user interaction?
On my tests it’s a big mess, important enough to switch from Outlook for iOS to iOS mail or even any other mail client able to handle this properly.
I only talk about contacts syncing, not authentication.
Yes, stop sync from Outlook to Native and then have both Outlook and native contacts sync directly to Exchange. This is best practice now
*Thread Reply:* Although this is what MS advices us to do, I believe it is the worst practice since it also requires you to modify your conditional access rules. You will need to allow ActiveSync so be sure to also implement a check if the new ActiveSync profile is installed. If not, it could mean that the user already created an actuvesync profile manually, allowing him to also sync mail and calendar data to the native apps.
Unfortunately this is the only solution that will work for most users.
*Thread Reply:* Well, you can disable ActiveSync with username password allowing only CBA and you can send down the profile with just contacts and disable the user from enabling email and/or calendar). I think we can greatly improve usability here by following this pratice.
The Outlook => native sync is the worst experience ever. Both in terms of user experience but as importantly security wise.
*Thread Reply:* Absolutely agree! Especially since Outlook --> native sync of your contacts uses iCloud and therefore syncs all your business contacts to ALL your i-Devices that use the same iCloud account. Also to devices that are unmanaged.
*Thread Reply:* @Peter Mohr how would switching to CBA and disabling username/password affect other systems using the ActiveSync protocol? For example, right now our old MDM we're retiring uses ActiveSync for email access. Its also been mentioned that our Teams rooms devices might be using the ActiveSync protocol for their scheduling.
*Thread Reply:* Yeah, you still need ActiveSync protocol.. It comes with auth in three flavours
*Thread Reply:* It is getting complicated when you configure the new “partner compliance” between 3rd party MDM (like WSO UEM) and AAD (Intune) and enable Conditional Access Policy on AAD side to require compliant devices only. After device enrollment you need to push Exchange payload (with contact only) ASAP to avoid the possibility that user will add account manually… The issue is that user will get authentication prompt for Exchange waaay before MS Authenticator is installed/account added/device registered to AAD. So authentication will fail. CBA will not help in this case as well… To be honest it is nightmare from UX perspective.
*Thread Reply:* You can prevent this by creating a compliance policy that checks if the mail configuration that you wish to push to the devices is installed. If not, quarantine the device.
*Thread Reply:* @Almar Diehl device is not managed by Intune but WSO UEM
*Thread Reply:* Basically WSO UEM is just flagging device as compliant/non-compliant in AAD. Only MS Authenticator can register device in AAD and then pass AAD Device ID to match to that device record so all auth traffic must go through MS Authenticator.
*Thread Reply:* @Ladislav Blazek Are you using Outlook as the mail client for WSO UEM devices, or a third party client? In ActiveSync you auto-approve based on agent version on device.
*Thread Reply:* @Travis Reeves Outlook as the mail client, native iOS app for Contact sync (Exchange profile with just contacts enabled). There is Conditional Access Policy configured on AAD side to allow compliant devices only. So agent filtering on Exchange for EAS will not help. The problem is that MS Authenticator needs to be installed together with SSO Redirect Extension (using MS Authenticator plugin), user need add company account to MS Authenticator and then register device to AAD. All this will take some time… But Exchange profile is applied immediately after enrollment and user is prompted to authenticate. Authentication will fail again and again… until all the previously mentioned steps related to MS Authenticator setup are done.
*Thread Reply:* So basically my recommendation at the beginning for that customer was avoid Outlook contact sync and use native contacts synced via Exchange profile instead… now trying to figure out how to make that process user friendly during device enrollment, but I don’t see an easy way.
*Thread Reply:* We push an EAS Contacts only profile via MDM using CBA for Auth and block all other Auth at the Exchange Online layer. This way native caller ID is there and access is available to managed apps with the iOS restrictions. Outlook iOS is there for email, calendar etc
Remember that the Outlook to native sync moves contacts from managed to unmanaged… This other way keeps contacts managed all the time
Hey guys, quick question on DEP. Can you tell me if switching to supervised mode on iOS COPE devices has an impact on displaying personal apps on the Airwatch console and if so, is there a way to mask that from the admin view. At the moment, we don’t collect any personal data due to the privacy settings but we are looking at improving deployment and support for corp devices via DEP.
*Thread Reply:* Yes I know that - it’s what we currently do with COPE devices. However my question is if the devices are supervised, does that setting take priority or are all apps (not just those which are managed) shown on the console ?
*Thread Reply:* if I remember rightly, I believe this doesn't show any app that is not pushed out via VPP. So if a user download an app from the app store, you will not see it in the list if this box is unticked.
*Thread Reply:* I’ll do a series of tests to double check
*Thread Reply:* Privacy policies have 0 differences on supervised vs unsupervised iOS devices.
*Thread Reply:* Difference is only on VPP and restrictions (and some payloads like wallpaper or layout folders)
*Thread Reply:* But you will not see anything else different from what the privacy policy allows/gathers
*Thread Reply:* It’s just that if you also use VPP, your users will be happy to see seamless app installation
*Thread Reply:* Thanks that’s what I thought!
So is everyone forcing iOS 14.4 on their users following the 3 critical vulnerabilities? Apple are staying relatively quiet on this and our security teams are all guns blazing🤔
*Thread Reply:* We are since it was confirmed that one of the exploits had been used in the whiled. Also our deployment of Corp iPads is pretty small compared to a lot of people in here so the risk is pretty minimal to us. We actually needed iOS 14.4 to drop as it fixed an issue with apps built in Xamarin which a few of our vendors use so this actually fixes multiple things for us besides the security patches.
*Thread Reply:* Our security team wants 60k devices updated to iOS 14.4 within 7 days....they’re living in a fantasy land.
*Thread Reply:* I know the feeling! We’ve also been given 7 days for the 7k devices...but our group manages over 100k on other WS1 tenants !
*Thread Reply:* In the capacity of a MSP.. we’re strongly advising it. When there are 3+ critical vulnerabilities it always gets the Nike “Just Do It” approach
*Thread Reply:* This thread just got me curious is there an easy to push out iOS 14.4 to all devices in Intune. I know WS1 made it pretty simple but since we pumped the breaks on Intune as a company at least for now I'm curious if MS put something similar in place.
*Thread Reply:* @Boe Yeah, they’ve got it in there now (at least as part of “Endpoint Management”
Is anyone able to access Apps & Books on ABM? It seems down.
*Thread Reply:* Yup down for me as well must be doing some sort of maintenance again or something
*Thread Reply:* Are you guys using it while connected to VPN? Usually I see that screen when I access ABM with VPN on. Once I turn it off I do have access to the Apps and Books part.
*Thread Reply:* Nope, tried with multiple open Wi-Fi including LTE hotspot.
*Thread Reply:* Confirm. Had to accept T&C and then same screen a Eric.
*Thread Reply:* What's funny is that it shows as Up and Running here : https://www.apple.com/fr/support/systemstatus/
*Thread Reply:* Always knew that thing was updated manually.
*Thread Reply:* I have two instances, trying the second one now.
For those that are using app protection policies (w/ Intune) ... !! https://www.reddit.com/r/Intune/comments/lb0y95/ios_145_breaks_apps_that_are_app_protected/
*Thread Reply:* Hopefully they fix it by the time it goes GA or we are all in for a rocking good time 😛
*Thread Reply:* Agreed, but still I don't need this. SMH.
*Thread Reply:* I ran into that issue yesterday and was expecting some communication about this
@Travis Reeves has joined the channel
What is the best way to get logs from an iOS device in regards to Apple Mail? I'm trying to figure out why some user can establish an Active Sync connection while others at random can't.
*Thread Reply:* If you have an AppleCare support agreement they can provide an EAS specific profile to capture sysdiagnose logs…
*Thread Reply:* Deploy one or more of the debug profiles from https://developer.apple.com/bug-reporting/profiles-and-logs/ and then have the user generate a SysDiagnose in one of two ways… Buttons or AssistiveTouch.. https://download.developer.apple.com/iOS/iOS_Logs/AssistiveTouch_Sysdiagnose_Logging_Instructions.pdf
*Thread Reply:* Sysdiagnose logs can help too: https://www.jessesquires.com/blog/2018/02/08/how-to-sysdiagnose-ios/
@Thomas Steinmetz has joined the channel
@Massinissa Menas has joined the channel
@Ronan SAILLARD has joined the channel
Anyone have any tips or tricks for forcing down iOS updates. I'm specifically looking for tips and tricks to get the update applied on users devices with lock screen pins since it seems like those require user interaction and as a result a number of our devices are not getting updated.
*Thread Reply:* Dedicated Corporate devices fully managed via WS1/ABM.
*Thread Reply:* We use a mix of compliance policies which includes notifying the end user via push and e-mail and pushing updates and within xx days removing mail access if device isn’t updated
*Thread Reply:* Ya I actually just put a compliance policy on a group of them to block email access until they update their device since the users just ignore our email / hub notification requests lol. It's just frustrating Apple doesn't give us the ability to force the install/reboot like you can on a device that doesn't have a lock screen pin.
*Thread Reply:* we use a mix of compliance policy and conditional access policies in MEM. user get a grace period of 7 days to update to the requested OS, after those 7 days access to company ressources is blocked on the device
*Thread Reply:* @Boe you don't say ... they ignore your email??? #ThatsMyLifeTooEveryday
*Thread Reply:* We're going to start doing this as well in Intune, the problem is we have users that live in remote areas and not only do they not have Wi-Fi in their home, but they are not allowed in the regional offices b/c of Covid-19. So we're having to think outside the box on this.
*Thread Reply:* I wish you the best of luck on that sir, it appears Apple has made this more of a pain in iOS 14 now requiring the device both be on Wi-Fi and plugged into power in order to update. Come on Apple I thought you were supposed to be the ones all for keeping things simple lol
Can anyone else confirm if you’re seeing this “lack” of control/behavior with Shared iPad for Business in other MDMs?https://www.reddit.com/r/Intune/comments/llr25e/shared_ipad_for_business_change_inactivity_lock/
*Thread Reply:* You can change the timeframe with your mdm
*Thread Reply:* @iMZ it may be that InTune is lacking support for several shared iPad features, but so far everything pushed via MDM is ignored.
Our DEP reseller told us that they have approved several new devices that we have bought, but these devices will not show up within the business manager. So the reseller told us it could take up to 72 hours, but that time has past. The reseller told us they can’t help. Are there any logs within ABM that I can pull or do I need to raise a case with Apple?
*Thread Reply:* If there were any errors uploading to your portal you would receive an email from Apple. If you haven’t received these errors then like Peter says they have probably uploaded to the wrong portal.
9/10 cases like this we see is caused by the reseller sending devices to the wrong customer ID and they don’t pay attention to any errors coming back from Apple too…
Hi, I’m facing an issue with the Global HTTP Proxy configuration. It is not bypassing the PAC in case it’s not reachable, despite being enabled on the profile. Has anyone seen this before? Just looking for a quick resolution before starting to review the iOS logs.
Hi, any suggestions on how to backup user data on remote supervised devices before a hardware refresh? We would then look to restore the data on the newly supervised device. We usually suggest iCloud as the ideal solution but customer is looking for alternative solutions.
*Thread Reply:* Hi, alternative could be encrypted backup using iTunes.
*Thread Reply:* The best way to do is to retire device from UEM, make backup, and then restore to new supervised device
*Thread Reply:* You can't unenroll a supervised device without wiping it, or I have missed something recently 🤔
*Thread Reply:* Correct, you’d need an admin to issue a “Retire/Unenroll” command from the console.
*Thread Reply:* But the device would still need to be wiped.
*Thread Reply:* No, you just want to pull the MDM profile, but you can def do the backup after retiring device
Hi all, We've noticed that since updating to iOS 14 on a COBO device, Safari is no longer available in Passwords & Accounts, Autofill. (Our COBO devices do not have an Apple ID)
I saw that there was a change in how Keychain works with Autofill in iOS 14 in the various articles regarding it.
I'm guessing that without an Apple ID on a device, Safari cannot use Autofill anymore in iOS 14, as it seems to integrate with the Keychain function instead? Is anyone else having this issue and could confirm this is how it now works?
Or do we have a switch in our MDM we need to disable somewhere... I've checked WS1 and I tried just removing all profiles from the device and it's still affected.
*Thread Reply:* I don’t think that’s it. I believe safari gets its passwords from the keychain. So “keychain” is what you want to enable.
If a device has an Apple ID and iCloud then this option changes to “iCloud Keychain”.
*Thread Reply:* Thanks, you're dead right. our users just need to enable 'Keychain' as per the screenshot and functionality comes back
Looks like for our users at least, upgrading to iOS14 disabled this feature so it had to be enabled again.
Hi everyone, do you know if it’s possible to force an update from the app store on a non supervised device ? The documentation does not suggest that anything like this exists (even for supervised) but I might have missed something. Our client would like to make sure that one managed application is always updated to the latest version. Thanks
You need VPP (ABM) and device license assignment.
I can force update “public” app on non supervised devices ?
I’m looking at the docs right now seems to do the job
*Thread Reply:* VPP works regardless of supervision. App is already installed. So if assigned with device license, MDM should be able to send update command.
*Thread Reply:* I’ll have a look at it thanks for the help.
*Thread Reply:* If the app is installed by the MDM then it can update it. if the user installed the app then the MDM can not force the update, however if the MDM takes over the app then it can update it (app takeover has to be enabled in the MDM)
*Thread Reply:* True, good point. Push message to convert app from unmanaged to managed state is supported by nearly every MDM. On non-supervised device user need to approve that conversion = user will be prompted and can decline. But I am right now not sure about one thing... when the app installed by user and is converted to managed state. Could be the license changed as well from user to device licensing model without app reinstallation? Afaik app auto updates works only when device licensing is enabled.
Heads up - https://kb.vmware.com/s/article/82793?lang=en_US
*Thread Reply:* Thanks for the info. Is there a way to follow these case without an Apple care enterprise subscription?
*Thread Reply:* openradar.appspot.com tracks apple bugs (radars), but it doesn't catch them all. I think it is up to the originator of the radar to list it themselves and they haven't in this case (radar FB9010428). We have logged a ticket with AppleCare to see if they can tell us anything further, so I will let you know what they come back with.
*Thread Reply:* AppleCare have acknowledged the issue and are planning a fix in a future iOS release.
@Jason Bayton love the new site. 🤣
*Thread Reply:* thank you. I'll be hanging my hat here from now on 😄
*Thread Reply:* Should we go ahead and just archive all the Android channels?
*Thread Reply:* Couldn't make Android documentation any worse 😛
In case anyone is interested, we’re going to start pushing our devs to incorporate this into all future enterprise apps! https://betterprogramming.pub/how-to-prevent-screen-capture-at-ios-14-1f01173c31c0
Question for the community, I can’t test this in my own lab tenant. If we have users that are logged into email (unmanaged) but now we want to force MDM enrollment to access, setting up an External proxy or sorts with O365 to force that behaviour. If we do that, would that break connections for existing users authenticated email, forcing them to enroll into MDM?
*Thread Reply:* @Michael Goad What MDM are you using? This is a good use case for implementing Device Trust. There are several vendors offering this (and several ways to implement), but essentially you’re screening devices before allowing them into managed modern services. If you’re still using ActiveSync, you can toss a certificate auth requirement on top of the connection.. then anyone not managed would automatically be filtered-out/denied access until they become managed.
*Thread Reply:* Anyone have any MS links, about this: • have one customer reporting this (VMware tickets, thought this is some issue with WS1.. but as said: App works if "non-MDM managed, installed from App Store)
*Thread Reply:* Ok, Endpoint Manager - Service Health has the notes from MS. Just took some digging (thanks for the heads up and posting the MobileJon - link.. there was screenshot in the Linkedin post 🙂 )
*Thread Reply:* Looks like it has been resolved by MS.
DEP Device Migration Question: If a DEP Policy is set to allow Device Migration, is allowing the user to sign-in to an iCloud account mandatory?
*Thread Reply:* Anyone have insight on this one? My gut says the migration wizard would port over the Apple ID and the user wouldn’t be prompted?
*Thread Reply:* Are you referring to iOS QuickStart (https://support.apple.com/en-us/HT210216) ? In that case I think the fine print at the bottom of that page may be relevant to your question: “** If your new iPhone is enrolled in Apple School Manager or Apple Business Manager, you can’t use Quick Start to transfer data from your current iPhone.”
*Thread Reply:* @Thomas B. Yeah, this was posted before I got down into the details. Company isn’t going to buy iCloud storage plans for backups, so if a user happens to have an Apple ID and backups.. they can restore. Else, the new device is provisioned with a baseline of business apps and user can add extras as they go.
*Thread Reply:* For CSuite/Exec level… may exclude new device from DEP Server assignment and allow use of the Migration Wizard.. then User Enroll into MDM after the wizard completes.
*Thread Reply:* That would work. Also, local (‘Itunes’) backup can sometimes be an option for those without sufficient iCloud storage. If you happen to have a contact with a local friendly AppleSE they might also be able to help you ensuring you consider all options.
Another week another iOS exploit 😄 I kid but man it seems like this is becoming a weekly thing lately https://www.theverge.com/2021/5/3/22417984/ios-14-5-1-ipad-iphone-apple-watch-mac-update-security-fix
*Thread Reply:* I thought the same. Should have let some of the betas bake a little longer. Glad I skipped 13.3.0 on MacOS, since it comes in at nearly 6.5Gb (and would have been nearly 13gb of updates after doing 13.3.1)
*Thread Reply:* I think it was just new emojis 🥱😶🌫️ 😵💫
*Thread Reply:* …one of which is not working as intended. Anticipate another update soon 🤣
*Thread Reply:* Ya even my die hard iOS friends/co workers are getting a little annoyed by this. 3 out of the last 5 updates are to fix exploits. So much for Apple Security being superior 😄 In all fairness they make great products but this is starting to feel like iOS 13 all over agian.
*Thread Reply:* Maybe the security team was distracted by the Gates divorce 😆
yes, tis just a payload. https://developer.apple.com/documentation/devicemanagement/caldav
https://developer.apple.com/documentation/devicemanagement/subscribedcalendars
does anyone here have any good material they reference if talking to customers about migrating from in-house apps to custom apps?
*Thread Reply:* i think this is a good overview https://developer.apple.com/videos/play/wwdc2020/10667/
*Thread Reply:* I quite like the table of distribution options published here at the end of the page: https://developer.apple.com/business/distribute/
*Thread Reply:* Also, that page links to pages with more detail on both the Enterprise program and Custom apps respectively, e.g. https://developer.apple.com/custom-apps/
*Thread Reply:* thanks @Thomas B. thats exactly what i was looking for
Anyone know if their is a way to disable "Facetime Live Photos" via an MDM rather than doing it by hand?
Anyone want to place bets on when iOS 14.6.1 drops? As much as I want to upgrade, I’m pretty much just advocating the .1 at this point…
*Thread Reply:* Hi Leon. This is where iOS stores the data value for traffic related to the EMM. Check-in's are negligible, but this could be related to an initial sync of a large mailbox(s) or if there is a configuration error in the work-stream w/ the EMM, it could be constantly throwing errors back to the service. Sometimes just doing an unenroll/reenroll can solve these issues as well. Here's an Apple Support article on what some folks have done to find the resolution. https://discussions.apple.com/thread/5386573?answerId=23327904022#23327904022
*Thread Reply:* Very useful - many thanks. My initial thoughts were to take a look at the mailbox settings
Hi, we’re rolling out DEP and need to prevent auto-enrolllent if the device is ever lost or stolen. The idea is to apply another DEP profile that would require authentication if that ever happened but this means more manual admin work after the device is enrolled. Can anyone suggest a better way around this? Thanks
Do you have auth on or off for DEP enrollments in general? We sometimes have a DEP profile called “Lost devices” that we auto-enroll into a locked down part of MDM with all apps hidden etc… Thieves can enroll but have no use for the device and we get to see and control the device again
*Thread Reply:* Yeah we have auth off when the device is first enrolled and then put them in a lost mode with auth on so they can’t advance. I guess it’s the only option?
Hi! We have big problems with iOS devices getting stuck on the Apple logo after iOS update. The problem seems to have escalated since we started to schedule OS Updates via MDM (Workspace One UEM). Anyone experienced same issue?
most of the time you can set device in DFU mode and exit DFU mode and then it works again
Yes, thats what we do as well. I wish there were something we could do remote though. (or that the problem didnt exist in the first place) Thanks Peter!
Yes, for sure. We have also seen bricked devices that need their hardware replaced by Apple after the last few OS updates 😞
*Thread Reply:* What are the password requirements that are pushed?
*Thread Reply:* but we managed to resolve it by creating an alphanumeric passcode which isnt in the policy but allowed the user to continue to reset it then set it back to 6 digits after
*Thread Reply:* That’s weird. I have seen similar issues, but only when the password policy forced extreme password complexity
Can anyone remind me - With the traditional SSO payload (strictly Kerberos), can you still wildcard URLs like we used to? e.g http://**.example.com - Apple’s site shows refrence to it, but I wanted to confirm. https://support.apple.com/guide/deployment-reference-ios/intro-to-kerberos-single-sign-on-apdf5b35aad2/web
@Roberth Diorges has joined the channel
How is one able to get logs related to application installation failures on IOS? We use an in-house Timesheets app on IOS devices. The maintenance of the project has moved to a new person since the previous maintainer is pursuing other opportunities. There is a new version they want to test, but It's failing to install. I get a very generic error in IOS 14 that the integrity of the app could not be validated. When we rolled this app out a few years ago, I could sync the device via Itunes and then search the app install logs in the Itunes sync folder for more details, but I cannot repeat that now.
*Thread Reply:* When plugin the iOS Device to a Mac, you can use the console application to see the logs
*Thread Reply:* look for the package name of the application you should be able to retrieve the correct log
*Thread Reply:* We usually see this error message when the app is not correctly signed (AdHoc or AppStore) instead of InHouse
*Thread Reply:* <windows geek> Anything comparable for Windows? 😄 Time to try and scare up an Apple computer
*Thread Reply:* I have used this in the past, before I switched to a Mac:
1. Download the full set of exe's and dll's
@Michael Dornstreich has joined the channel
I'm curious has anyone who supports BYOD made the switch to "User Enrollment" vs the traditional device enrollment? If so how has your experience been and what gotchas have you run into?
*Thread Reply:* Yep we ran a POC but as we do mobileSSO and federated our domain with ABM, this created an extra hurdle as our IDP sends any mobile user-agent to WS1 Access (this includes Safari that is used for end user enrollment). As the auth request comes from Azure, this impacts all Office mobile apps so we couldn’t put an exception in place to not forward the request for end user enrollment without impacting the security of the solution. There is a way to ensure conditional access between AirWatch and AAD but you need MS Authenticator for this and we already have our own Authenticator app…send me a PM if you want more details?
*Thread Reply:* We found an issue with per-app vpn (cert based auth). This is not possible with user enrollment. As we have the requirement for some apps with internal backend to use a per-app vpn this was the show stopper for us. Haven't looked into this for a while now to be honest but I believe this did not change yet.
Very curious as well - we are looking into it right now. One thing we already noticed is that the keychain separation is not as robust as expected, especially for certificate auth in Safari/SafariViewController in apps like Authenticator
*Thread Reply:* @Cedric Lüke I can't imagine we are the only ones looking at it. I would also like to think someone in here has already made the switch. I was watchin this session from WWDC where they are talking about the change to declarative management that got me thinking about it again. https://developer.apple.com/videos/play/wwdc2021/10131/#:~:text=Declarative%20management%20allows%20the%20device,without%20prompting%20from%20the%20server.
Can someone remind me: Federated Apple IDs + Shared iPad - Is there a way to have a digit Shared iPad Passcode? Similar to Windows Hello?
*Thread Reply:* I swear on one of the initial builds I did, it was feasible. However, what I’m seeing here says that ABM will always enforce a complex passcode? https://support.apple.com/guide/mdm/shared-ipad-sign-in-mdm6c592d817/web
*Thread Reply:* Why share a passcode, use a guest login? Just curious.
*Thread Reply:* @Todd Cole Customer was against Guest/Temporary, as the users need to be signed-in as themselves and be able to retain app data/settings/etc.
*Thread Reply:* Shared iPad with Managed Apple ID’s? Let's talk tomorrow if you are free, I feel I am missing something here.
*Thread Reply:* Yes @Todd Cole - Shared iPad with MAIDs.
*Thread Reply:* I’m free to chat this afternoon at any point. You know how to find me #Holler
Hey hey - anyone know if iOS still can't handle profile changes that contain a change state for OAuth from disabled to enabled? I know a few years ago it would never pick up the change and you'd need to actually pull the profile and send a new one - anyone have any insights?
*Thread Reply:* With iOS profiles, it is a remove and re-install of new profile. Apple doesn't support a concept of deltas.
*Thread Reply:* We use Workspace ONE and we just updated the EAS profile with Oauth enabled and the iOS device received a pop-up asking them to enter the password which takes them through the auth workflow
Are there any iOS payloads to configure the files app via MDM?
Not as far as I know 😞 Would love to be able to add servers etc 🙂
*Thread Reply:* That would be great feedback to share via the Feedback app / AppleSeed for IT as a feature request…. maybe talk to a friendly Apple SE to see if they can help raise the visibility of your request…
Does anyone in here use Polycom RealPresence Mobile HD and if so have you found a way to push out the settings via the MDM instead of needing to set them by hand? I tired looking at their sites documentation and I didn't find anything.
*Thread Reply:* Able to ask their support team if the app implements AppConfig? Also ask them why not if it doesn't.
*Thread Reply:* I wish unfortunately this app is provided to us by a vendor and not the company direct so I don't have direct access to their support which is why I thought I would reach out and see if anyone else had experience with it. I went thru their support site and they mention MDM's in some of their documents but never anything about supporting AppConfig via the MDM. It's not a huge deal either way I was just hoping to cut a few setup steps out for our Desktop Support Team, plus less things they have to manually do less chance for error 😄
*Thread Reply:* The Google Play version does not support AppConfig.... so that isn't a great sign.
*Thread Reply:* Ya I checked that too so I figured I was out of luck but thought it was worth the ask regardless thanks for trying though Dirk
Am I losing my mind? I thought iOS devices had to be supervised to use an unlock passcode / clear passcode command?
*Thread Reply:* no it should work on unsupervised devices as well
*Thread Reply:* My pre-coffee brain can't wrap my head around Apple still allowing for unsupervised unlocks - thank you for confirming!
Is anybody using Safari in iPad Kiosk mode (single app mode via MDM policy) with VPN? Looks like the single app mode profile blocks AnyConnect from establishing the On-Demand VPN connection
“Single App Mode” 🙂 kind of gives you the answer. You can’t run 2 apps (AnyConnect and Safari)….
well that's what I feared, thought somebody might have a clever way around it
Always On requires Supervision too. (I guess SingleAppMode does too)
I advise against SAM with MDM. Never ending problems IMO
true, but also works in some use cases. Automation helps on the backend….
WHO Knows why Fokus Mode dindn‘t work for Apps from mdm ?
*Thread Reply:* Do you mean that notifications still come through even though they are not supposed to? Haven’t tested that so far.
if anyone has an iPhone could they try the below for me 🙂 using the native mail client, if they use the unread filter button does the phone freeze up then unfreezes around 10 seconds later but the filter doesnt work (i.e if you are in unread mode it wont take you out of it and vice versa)
*Thread Reply:* It works as expected for me on iOS 15
*Thread Reply:* thanks @Mark Vonk just me then 😞
@Joel Prefontaine has joined the channel
Anyone had any issues on iOS 15 with blasts of meeting acceptances after upgrading?
*Thread Reply:* Actually I have seen this with upgrade to 14.7 too. The persons that where causing this issue had to remove and reapply the exchange config. Native iOS mail right?
*Thread Reply:* Seems somewhat common. But MSFT didn't care lol.
Any word is CVE-2021-30883 also affects iOS 14.8?
Hi, Is anyone having issues lately with native email client, certificate based authentication and o365? We have multiple customers reporting issues... only happening with CBA access to o365 exchange online....
@Gary This is using CBA + O365 ActiveSync. Right?
Might be worth checking w. MSFT. Technically everything you’re doing is supported from an Azure perspective…
Unless you’re having issues with your PKI/CRL, it should be business as usual
Yip, MSFT confirmed that it is strange and not able to find the issue yet. Will check CRLs
Exchange Online service alert Incident information Title: Some users are unable to send email or receive using their Exchange ActiveSync (EAS) synced iOS or Android device ID: EX291497
Hey folks, with the growing number of critical vulnerabilities (zero day no touch exploits) I'm curious to know how everyone is handling this from an MDM perspective? Are you all setting the latest iOS version (15.0.2) or the one before it such as 14.8? It's starting to become really unmanageable from a communication standpoint so I'm wondering if any of you have a MTD solution in parallel that is able to detect and prevent these regardless of the iOS version?
*Thread Reply:* MTD does not replace OS updates, but most MDM would be able to detect devices that are not up to date, and they could push out OS updates to supervised iOS devices, for example MaaS360 can do this.
*Thread Reply:* Of course not, I'm well aware of that - I was just wondering how everyone is managing this given the constant flow of iOS updates…
*Thread Reply:* I put a 21 day hold on updates unless they are critical. I also use mdm to push updates. But as a parallel measure we set devices to auto update on setup as well. Then we preach keeping them updated. Updates on mobile, android and iOS, are spotty for people for many reasons. Most of my population does not like to put a device on Wi-Fi. And we don't have cert based authentication, so auto attachment to a corporate Wi-Fi is not possible. Many updates don't get done due to this. Then there are space issues on devices that prevent updates. Really the best policy I have is to be really annoy the end user until they update. Being annoying is increasingly difficult lol. Good luck 🍀 !
*Thread Reply:* We usually have N-2 as minimum policy and people have a grace period of 7 days (so until iOS 14.8 14.7 would be allowed as minimum, if 14.8 would not have been labeled critical). They get a notification and then have 7 days to remediate, if they don’t do that after 7 days access to company resources is revoked, for that device. With critical vulnerabilities increasing on iOS side we have lately been following going to the latest OS version and set grace period to 1 day, with communication being sent to everybody before hand. The scenario with iOS 14.8 and 15.0.2 being out and Apple telling people that they get to choose made even that more difficult. We have a significant number of people on 15+ already and also still a high number on 14.8 afraid to update because they don’t want stuff to break for them, which I understand had a terrible experience with my private iPhone. I tested Filters in MEM and it works fine, so now we’ll fork the policy and ask everybody who is already on 15+ but not on 15.0.2 yet, to update with grace period set to 1 day. Everybody who is still on 14.8 is excluded for now, because communication from Apple hasn’t been really clear if 14.8 is affected too. Tbh the situation is becoming messier and messier in my view.
*Thread Reply:* We've found that it's impossible to get everyone updated within such a short timeframe…not sure how you're managing to do that in 1 or 7 days unless you have a small fleet. We have 60,000 devices!
*Thread Reply:* Hey @Jay I could be wrong but from what I've seen reported there were 3 major zero days reported and the first was patched by Apple in 14.7.1 after the researcher who found them went public because Apple was dragging their feet. It's my understanding that another was patched with the 15.0.2 patch and that it sounds like the last exploit is getting patched in 15.1. So I believe all builds are impacted but I could be wrong.
*Thread Reply:* Currently we have a 30 day hold on users being able to take iOS updates on their own normally this gives me time to watch and see if any major issues are reported in the media or if any vendors come forward with issues as well. I don't worry as much about apps breaking when they are dot releases but I do worry every time we take a major update (i.e. going from 14.8 to 15) as it seems something always breaks. I have a list of apps/configs that I know are most likely to break so I start by testing on them with the right people to put their apps thru their paces. After that I start my phased roll out across our devices and hope for the best. Like everyone else here has said already its important to keep these things up to date. My direct management doesn't really push for me to do this but my security team has requested it and as the guy who it will all fall down on if we get owned I do my best to keep everything as patched and current as I can. 🤣 Managing mobiles devices will be fun they said, its easy they said 🤣
*Thread Reply:* How many devices are you guys managing ?
*Thread Reply:* How are you guys managing Android, patch dates etc ?
*Thread Reply:* Android 9 as minimum, paired with N-2 when it comes to security patch level, from tomorrow on that will be 2021-08-01. Security patch level is updated every month on the third Thursday. Next month we’ll also move to Android 10 as minimum.
*Thread Reply:* Latest is greatest - the most recent iOS release has prio when it comes to receiving patches. Participating in AppleSeed can help with timely readiness.
Is it me, or is there not a way to hard-set a 6-digit lock code in the DEP Setup Wizard?
It’s not you. Are there is no way to do it for iOS devices
For Max with the P you can create an admin account and password during set up automatically
I’m using Siri to type this if it seems intelligible
So best not to set during the wizard, then enforce with policy after DEP is complete?
*Thread Reply:* This is what I usually suggest when doing new DEP setups
*Thread Reply:* I’d say that setting the policy straight away and holding the device until the config has completed should get you here (awaitdeviceconfigured) - If your MDM does not support this, alternatively just set the passcode policy and most users will opt for the default of a 6-digit code anyway, and those who do not will be forced by policy as soon as it lands on the device.
New Apple Business Manager T&C's get released today so dont forget to go and approve those to avoid any unnecessary syncing issues!
*Thread Reply:* Yesterday evening already, but good to remind people again.
*Thread Reply:* im a day behind i've just come back from Annual leave so just playing catch up still 😅
*Thread Reply:* Done and done! You have to admit, the emails coming from vendors about this are sort of absurd. CRITICALLY absurd 😆
*Thread Reply:* I think the process of having to go in and check for the TOS at random because they don't do it at a set time on the day mentioned is absurd. Then again the fact we have to do it every time it changes is not much fun in general. +1 for Android Enterprise set it up and forget about it lol
The Apple Platform Deployment guide just got it’s update to match iOS 15 release, esp the What’s New page is neat: https://support.apple.com/en-gb/guide/deployment/dep950aed53e/web
I have a machine certificate installed by Intune in Generale ->Device management. I would like my application to use this machine certificate to present it to an F5 server. when the F5 validates the certificate that I can access to the web services. How do I get my application to find and use the certificate in Generale ->Device management? Thank you
*Thread Reply:* You’d have to create a VPN configuration file in Intune using “F5 Access” as connection type, fill out the other required information and under “Authentication method” select “Certificates”. Then you have to go to “Authentication certificate” and select the other certificate you have precreated, the one you see under General -> Device management.
*Thread Reply:* Also make sure to add the custom xml, like so:
<f5-vpn-conf> <prompt-for-credentials>false</prompt-for-credentials> <client-certificate> <issuer>Microsoft VPN root CA gen 1</issuer> </client-certificate> </f5-vpn-conf>
*Thread Reply:* You can see examples of how to set it up here: https://techdocs.f5.com/en-us/apm-f5-access/apm-f5-access-windows-10-using-intune/cf5accesswindowschaptertitleconditional_access.html
*Thread Reply:* Thanks you, i have understood how to do it. i want to know what should i do on the apps side to use the certificate. i use ionic/cordova for my apps
Here’s a fun one, definitely something we’ve not come across yet! Have you ever heard of an app developer for iOS rolling back a version in the app store? Workday’s dev team botched up something with last week’s release, and they’re going to roll it back to the previous release. We’re trying to figure out how to handle that with MDM… like will devices that are set to automatically update apps roll back automatically? We are honestly just hoping that they submit their old working version of the app with a higher revision so MDMs will trigger the update, but not sure. Any insight would be helpful as pretty much anyone I’ve asked hasn’t seen this situation before.
*Thread Reply:* whenever Workday botch an update (seems to happen quite a lot for one of our customers) they do exactly as you say, revert to a previous version but making it a higher revision.
*Thread Reply:* Thanks @Ajay Patel!
*Thread Reply:* Fun one! Good to know that’s how Workday is working it…
If I buy a device directly from Apple, are they really not able to activate the device for DEP?
*Thread Reply:* Apple Business Store Online will do this for sure. Not all Apple Retail Stores will do it…
*Thread Reply:* Apple Business Store (in the UK) definitely do add to DEP.
*Thread Reply:* You also have the option to use Configurator to add the device to ABM
*Thread Reply:* Right, but for that I need the device in my hands, which I have not. 😜
*Thread Reply:* The business team in any retail store should be able to help - you’ll need to call/chat/mail them though - walking into the store and getting an ABM enabled device ‘on-the-spot’ is a different story.
Do you guys also feel that the restore experience on iPhones is (still) inconsistent? At times I have cases were the new device (from supervised to supervised) does restore the MDM profile from the old device and then runs into the “Profile installation failed” issue and at times it works fine and the new device interactively downloads the MDM profile as it should. Restoring from supervised to non supervised works fine, as there is no MDM profile restored and you manually have to enroll the non supervised device, which is fine. From non supervised to supervised also works fine.
*Thread Reply:* There are a lot of problems when restoring to the same device
*Thread Reply:* In most cases it is restoring to a new device, restoring to the same is rarely done here. But the tests I did with restoring to the same looked fine, at least this time.
*Thread Reply:* Yes, I agree with you, Julio. I do face similar issues consistently.
*Thread Reply:* Even the “Quick Start” option worked for me, even though this was multiple times mentioned as not built for enterprise. Very confusing and frustrating.
*Thread Reply:* Julio I'm with you on this, we run into this issue all the time with our BYOD users where they transfer their data from their old phone to their new phone but then can't get enrolled because it copied over part but not all of their MDM profile to the new device. This leads to a support call because most users don't realize and don't want to deal with the WS1 self service profile to nuke their old device. Doing so fixed the MDM profile and then they get enrolled but I wish this didn't happen at all.
*Thread Reply:* Maybe to clarify on Quick Start with ABM - Most of the quick start functions will work, it’s just the direct device-to-device data transfer part that does not - you’ll be guided to use the regular backup-based data transfer- which is fine, esp now with iOS 15 where you get unlimited temp storage for such transfers. Hope that makes sense.
*Thread Reply:* Yeah, I get your point Thomas. That was also my observation, that the device to device transfer is also moving over the profile, which is excluded if you do it in another way. Moving over the device is creating issues and would have to be removed by me through unenrolling the device later, without wiping it if it evens get to reach the home screen
*Thread Reply:* IBM has a nice overview about this :
https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide
*Thread Reply:* Thank you so much! I knew this image from somewhere, but couldn’t find it anymore. I didn’t know that there was a whole article that it comes with!
Hi all, does one of you know if it is possible to create a multi-app kiosk 'mode' for iOS/iPad devices via VMware Workspace ONE UEM? For Android you can easily use the Workspace ONE Launcher in multi-app mode, but for iOS devices I see only a single-app mode payload...
@Sidney Hola! I suppose you could use App Whitelist/Blacklist paired with the Home Screen/Dock Config. Would that accomplish what you're looking for?
*Thread Reply:* Ola Woody, probably yes. got sort of the same response in another Slack channel. Will need to test this, hoped there was an easier way.
*Thread Reply:* @Sidney It's honestly pretty straightforward. Once you do it a couple times you'll come to enjoy it
Hello all, anyone know of a method to clear all installed app data on iPad in shared mode with Hub sign in via Workspace One? I am currently using an assignment logic which removes the app when the device is checked in, however for apps that you sign-in to like Teams or Outlook, the account persists
Hello Everybody! Has anyone had any success with allowing a single-app mode app to have access to device camera? We have a vaccine passport app that we would like to lock in SAM, but it needs to be able to scan QR codes.
*Thread Reply:* I had a similar issue. The app needs to be allowed the permissions first. And the permission prompt only comes up when not locked. So we have them unlock the app. Accept the permission. Then lock up again.
*Thread Reply:* Awesome, will try that... thanks!
As-of iOS/iPadOS 15... is there any way to force a default browser via Supervision/MDM?
Hello, has anyone had any problems with iOS devices losing their CA certs? We are pushing out two CA certs via a profile to all our devices and we are having a few of the devices lose the certs. It only seems to be a problem with iOS 15 devices but I'm not ready to say that it is a 15 bug. I just got in this screen shot from a device and it would have had the certs installed as late as yesterday but today they were missing.
Yeah we have the same issue at a customer with iOS 15 devices. To narrow it down: what MDM are you using? Our customer is using MobileIron Core.
@Timothy Byler are you pushimg both certs in separate configs?
We, at least are pushing them in separate configs
Symptoms Customers reported that features based on certificates pushed via MDM stopped to work on iOS 15.0 and 15.1 (VPN, Wifi, email,...) due keychain incomplete or missing. Cause Apple confirmed that a bug could cause remove or corruption of the certificates pushed via MDM upon iOS updates. The behavior is triggered when pushing a profile with certificates to an iOS 14 device and updating to iOS 15, then re-pushing that profile. This has to do with security changes made to iOS 15 and persistent references in the keychain. Pushing the profile with the now missing certificates again should resolve the issue and not re-occur. Resolution The vendor is working on a fix and a relief will be shared as soon as is available in a future beta release. Apple Care reference: 101551789316. Please reference your Apple ticket if you are affected.
Workaround: repush profiles with certificates not linked or invalid
*Thread Reply:* This would be fairly consistent with what I'm seeing. The one detail that I don't have is when the devices in question were updated.
We have found that repushing the profile fixes the problem for the device in question.
*Thread Reply:* Apple told us it is fixed in iOS 15 beta 4. We can't really test that because it does not always seem to happen.
*Thread Reply:* Thanks to all that contributed to this question. Some times it is nice to know that you're not just crazy.
*Thread Reply:* A question from one of our techs, "15.0 beta 4 or the just-released 15.2 RC (that is beta 4)?"
*Thread Reply:* I believe the latter, 15.2 rc2
We are using Jamf Pro, we are still on version 10.32.1, which is about two versions old. Currently I'm pushing both certs in a single config profile
@Timothy Byler it’s affecting most DoD devices, since there are multiple certs from multiple sources. Only happens when there's is more than one cert. Pretty frustrating as it makes MDM app catalogs extremely cumbersome to use. No, it’s not fixed in 15.2 beta 4, or RC.
*Thread Reply:* Maybe check this one; https://support.apple.com/kb/HT212962
*Thread Reply:* Should be fixed in the just released 15.2
*Thread Reply:* Definitely not fixed, but thanks for the ammunition in my ticket escalation.
*Thread Reply:* Thanks for all the info, the bit about it taking more then one Cert to trigger the problem is interesting. It would explain why we're not seeing it on all our servers
*Thread Reply:* Today’s beta contains a fix that looks like it might address an issue where users are prompted to select a certificate to authenticate to websites several times before gaining access. - might be worth looking into.
Has anyone played around yet with Configurator for iPhone? Just realized it released a week ago. Gonna have to give it a shot.. https://9to5mac.com/2021/12/06/apple-configurator-now-available-on-iphone-for-adding-macs-not-purchased-by-an-organization-into-business-manager/
*Thread Reply:* I think that’s a good start. The whole thing works very well, hope Apple brings additional features in there.
Guided Access Mode on iOS - are there any payloads to configure that via MDM?
*Thread Reply:* Single app mode is the equivalent?
*Thread Reply:* Yes we could configure Single app mode with MDM, but not really the same like Guided Access
*Thread Reply:* Ok, looks like there are payloads:
Has anyone found any way to manage the home page in Safari for a supervised device? I don't recall there ever being a payload.
Is there a way to schedule VPP app updates? (MobileIron Core) We have the problem that mostly Microsoft app updates consume most of our bandwith
*Thread Reply:* Why not cache them locally with a Mac Mini or similar? (Also makes iOS provisioning much faster too) 🤔
*Thread Reply:* Interesting- how would that work in combination with MobileIron Core?
*Thread Reply:* Jason is talking about the macOS caching server option. That feature is independent of the MDM used. The iOS device would need to be on the same network as the caching server when running the updates.
*Thread Reply:* I see. Thank you, I will take a closer look. But basically the clients need to know that Mac Mini is the source for updates, am I right with that?
*Thread Reply:* No client settings are needed, they just need to be on the same network. This feature is built-in to macOS
*Thread Reply:* Sorry, been in meetings, but Lewis is spot on.
Trying to remember. If I've enrolled/supervised a device with MDM A and I retire... then User Enroll to MDM B... does the Supervision Flag carry over?
*Thread Reply:* User Enrollment? User Enrollemnt has no supervised Mode or what do you mean?
*Thread Reply:* On the other Hand a device that was once supervised is Supervised until you remove it via Apple Configurator ;) no matter how the mdm changes
*Thread Reply:* Okay! It had been a minute since Supervised, then retired and added to a new MDM (without wiping/starting over). Thanks @iMZ for the refresher
*Thread Reply:* To clarify: If I'm migrating a supervised device from MDM A to B without a wipe, I want to make sure the Supervised Flag carries into MDM B
*Thread Reply:* When enrolling to MDM B, it is technically User Enrollment, because the user is enrolling... not Device Setup Wizard
*Thread Reply:* Ahh this way! If you do this, the device is also flagged in the new MDM supervised
*Thread Reply:* Is just like with an ACC to bring the device into supervised and then log in to MDM.
*Thread Reply:* Is it really a “User Enrollment” (with managed Apple ID) or do you mean a user initiated enrollment through agent @Woody?
*Thread Reply:* Yes @Jay it technically is perceived as a User Enrollment
*Thread Reply:* There is no MAID in this scenario. Basically a the MDM being removed from the source system, then being left without MDM.. so the user goes out and installs post-deployment, which is perceived by Apple/iOS as User Enrollment
*Thread Reply:* I get that, I’m just confused by the usage of “User Enrollment” as Apple tried to change it into this enrollment scenario that has to include MAID even though before MAID the same term was and obviously is still used for BYOD/non DEP enrollment
*Thread Reply:* I think @Woody refers to user initiated device enrolment as ‘user enrolment’ - somewhat confusingly. User enrolment has a very specific meaning now, with a MAID required and limited MDM functions. With manual device enrolment, supervision does indeed carrry over - it’s a flag set on the device. The main issue you may want to consider is that the manually enrolled MDM will be user removable; which might be a concern.
*Thread Reply:* Yeah Thomas, I was thinking the same that’s why I asked. I also do share the concerns with the removable mdm profile.
*Thread Reply:* @Thomas B. that's correct. So it is more of a manual enrollment in this scenario. No MAIDs in use. Appreciate you spelling that out. I'm sure it isn't the first time there will be confusion on that nomenclature
@David Baverstock has joined the channel
How are you guys deploying Exchange Online Shared mailboxes to the devices - only via MS Outlook? Is there an alternative?
*Thread Reply:* The built-in Mail app can't do Shared mailboxes, so I believe Outlook is your best bet.
*Thread Reply:* And if the shared mailbox has the password enabled?
*Thread Reply:* For the Outlook app, If they have delegate access, they should be able to add it by clicking on the add account button and choosing “Shared Mailbox”
*Thread Reply:* VMware Boxer supports Shared mailboxes as well (if you are already using WS1 and have it licensed).
Has anyone had success with the new "Account Driven User Enrollment" on IOS Devices? Otherwise known as the "Sign in to Work or School Account" in IOS 15
*Thread Reply:* What are you asking about. I have a few devices I am testing this on.
*Thread Reply:* I’ve done some tests and it looks neat to me - quite the improvement over the iOS 14 era process with manual profile install.
*Thread Reply:* agree, user enrollment is really good, but the dependance on Managed Apple ID make’s it tough.
*Thread Reply:* That's promising to hear, I'm a workspace 1 shop here, and having a devil of a time getting the pre-reqs together. (building and hosting the domain.com/.well-known/com.apple.remotemanagment. Any guides specific to WS1 or generally you can point to?
*Thread Reply:* Not really unfortunately I am not well versed on WS1.
@Jonny Welander has joined the channel
Anyone aware of any iOS restrictions that could impact the use of CarPlay?
*Thread Reply:* Perhaps managed accounts such as calendar/contacts?
*Thread Reply:* We authorise the sync of managed contacts to native contacts
*Thread Reply:* You need to allow Siri even when unlocked. So check for restrictions regarding Siri
*Thread Reply:* @Mark Vonk We blocked Siri for ~un~locked devices and CarPlay works pretty well. When have you checked that?
@Damian Very obvious, but are WiFi or Bluetooth restricted?
(modified the typo)
*Thread Reply:* I am not sure about the current status, but it used to be a common reason for CarPlay to fail. If you Google for locked (not unlocked) you will find some references to it. Siri is still mandatory though, you need to enable it for CarPlay to work
*Thread Reply:* Siri is allowed locked and unlocked and Bluetooth/wifi too. Probably a bug so just reaching out in case it's a known issue. Thanks
Hi folks, anyone know if the « ratings region » in the media content section in the restrictions profile has any real bearing or influence as we manage multiple regions ? For example, we manage the APAC region but only see Japan, Australia & NZ as an option? There is nothing in the documentation to explain that…
We are in the mix of planing a process how we handle backup/restore on a global scale and I want to ask for your input and experiences.
We have a lot of branches deployed all over the world. Backup/Restore is mostly done by our individual on-site Admins, which nowadays can be a bit tricky. We currently don't use Apple Business Manager, so all of our devices are Non-DEP and Non-Supervised. MDM is MobileIron Core.
How are you guys handling this with hardware replacement's ? (switch to a new phone). We thought about completely banning backups since it is mostly for consumer features and the devices are company owned anyway.
*Thread Reply:* We’re telling people that we do not officially support backups as they don’t work as they should in a business context and everything company related is in the cloud and doesn’t need to be backed up. If they still want to use it they can, but they should use iCloud or iTunes/Finder and not the Quick Setup option. If they have issues we still try to help though.
*Thread Reply:* Pretty good - thanks for sharing
*Thread Reply:* To add a bit onto @Jay answer from my own experience, If your company applications are installed by the MDM and you have correctly flagged the apps themselves to not backup (or use iCloud if you want both blocked) then they will not be able to backup. In high security environments the use of backups have long be banned but it make support more painful. By ensuring corp apps that should not be backed up and sharing data to iCloud is correctly flagged that way by your MDM is a good start. Then the use of iCloud Backup should work fine and a users “personalized” settings will be moved but the corp apps will have to pushed down and then data sync’d back from the company.
*Thread Reply:* Todd is spot-on. I’d add that from a corp perspective, all data on phones should be seen as transient. That is to say, the canonical copy is what is on the mail server, in the database, in the backend etc. - the phone just has a local cache. Hence marking those apps as excluded from backup is fine. On restore, MDM pushes down the apps and the data is re-populated from the respective backends
Managed Apple-ID questions: a.) is it possible to retrieve a list with names of the users that have a conflict? b.) our APNS cert was also issues with one of these Apple IDs - will this also be a conflict?
*Thread Reply:* I guess you have to contact Apple to move the APNS account from personal to managed Apple-ID: https://support.apple.com/en-gb/guide/apple-school-manager/axm6603d9206/web
*Thread Reply:* 1. nope… You can’t. It’s privacy 🙂
*Thread Reply:* Privacy yes , but emails are being mailed to users who have conflicts on your email system , so you still “know” if you want to
*Thread Reply:* this has been a huge blocker for us making the migration because we have
Once you take over the domain for user enrollment, the users will get a message from Apple indicating that they will need to transition to a personal id.
*Thread Reply:* You can get the count from ABM before you turn on migration and federation…
What's the easiest way to enroll an iOS/iPadOS device into ABM and enroll it into MDM? On the macOS side, we're able to use configurator to quickly enroll a Mac and provision like a standard ABM device. On the mobile side, it looks like we need to configure Apple Configurator on macOS, then enroll the device using an enrollment URL. Is there a way to quickly add the device into ABM, then provision remotely without having to configure Configurator?
*Thread Reply:* There is only 2 ways: via Apple Configurator or a reseller adding it for you.
*Thread Reply:* got it. I'm using Configurator now and am able to get my device enrolled into WS1 and in ABM. Process seems a bit quirky and not consistent on the multiple attempts I've tried to enroll a device using a blueprint. Profiles are delivering fine, apps are not installing.
*Thread Reply:* dep/abm via vendor is certainly the easiest
Does Teams yet support multiple accounts?
*Thread Reply:* simple answer... no.. Only 1 work 1 personal
*Thread Reply:* I do wish. The best thing is federation/linking between teams, but that's only if both orgs allow for it
Fairly certain I know the answer, but has anyone found a way to enforce DnD (Focus) on supervised iOS when a vehicle is in motion? I get something with CarPlay from a personal perspective, but I know a business isn't going to provide vehicles specifically equipped with CarPlay to guarantee this always happens.
*Thread Reply:* DND ? Dungeons &. Dragons? 🤔
*Thread Reply:* @Mark Vonk Do not Disturb (aka Focus)
*Thread Reply:* I don't know @Woody I think @Mark Vonk idea sounds like a lot more fun
*Thread Reply:* I did not see anything in the iOS restrictions documentation regarding focus/dnd unfortunately.
*Thread Reply:* Yeah, likewise. Have someone shopping different MDMs because they think one is going to be able to do something magical with Apple on that front. Hate to break it to them, but that's not going to get them anywhere.
*Thread Reply:* Potential solution on this front. https://lifesaver-app.com/
I saw today that Apple puts an "Information Required Soon" notice next to (some? most? of) the Bundle IDs in our Enterprise Developer account. This appears to refer to the "Deployment Details" questions that have been marked as "optional" until now. Does anyone here know more about this, or any announcements regarding the enforcement of those fields?
99.9% sure its not possible but I am being told by an MDM vendor that it is. Will apple unlock a device (remove device passcode, not activation unlock) if you can prove device ownership?
I know they can do activation unlocks but never heard of them removing a passcode for you so you can get access to the device again.
*Thread Reply:* Apple can’t. MDM can (if device is online and enrolled)
*Thread Reply:* Thanks for the verification. I never thought they did but our SureMDM vendor was trying to tell us they can.
Unfortunately in our case the phone is passcode locked and has been turned off then back on. And we know when that happens iOS turns off the data connection until the device is unlocked.
*Thread Reply:* if this is an SIM capable device just plug in an unlocked SIM. If it’s not use a Lightning to USB-A to Ethernet adapter or just a USB-C to Ethernet if you have an iPad Pro… that brings the device back online 🙂
*Thread Reply:* You can always wipe the device if you don’t care about the data.. Put it into DFU mode and restore using a cable.
*Thread Reply:* Thanks for that info Peter much appreciated. Our customer was hoping to keep the data otherwise for sure we could have just wiped it early on. But that is good to know about Lightning/USB-C to Ethernet adapters.
Hadn't heard of that one before.
Thanks again!
*Thread Reply:* I have this “kit”
*Thread Reply:* https://support.lenovo.com/dk/en/solutions/pd029741
*Thread Reply:* awesome thank you so much for the recommendation
*Thread Reply:* Hi Peter,
Have you ever ran into the issue where the iOS device will tell you that you need to unlock the device before you can use USB accessories?
*Thread Reply:* Yes, that limitation has been introduced a while ago. MDM is able to change this policy - but you would’ve had to do this ahead of time.
*Thread Reply:* The restriction is “allowUSBRestrictedMode” - found in https://developer.apple.com/documentation/devicemanagement/restrictions
That site is really valuable to have on hand in this type of vendor discussion - it is the canonical answer to what MDM can or can’t do.
@Daniel Skaaning has joined the channel
Hi, need help : Ms-Outlook App for iOS can get the full list of Appconfig to creat .Plist for allowing/restrictions of certain features?. Via MDM server for a public iOS app.
@Kenneth B. Jørgensen has joined the channel
has someone the chance to create a high resolution screenshot of the profile creation screen of the old iphone configuration utility ?
We have some users who receive their corporate mail on both their iPhone and iPad and only on the iPad do we see an issue whereby an email with an attachment over 10mb is not fully downloaded but arrives in text format. We don't have the issue on the iPhone at all and are all able to reproduce on the iPad. The active sync policy is the same for both types of devices. Allow HTML mail. There are no settings in the mail app that would influence this. I found some discussions in forums around the network bandwidth that could be causing this but my tests were done on the same 4G and Wifi…any idea ?
*Thread Reply:* Do you have an applecare case or a FB with AppleSeed?
*Thread Reply:* Not yet but we can definitely create one. I was just putting this out there in case anyone had experienced the same issue
Is there a payload for Safari „Request Desktop Site“ so we can pre-configure this? Or create a webclip with Request Desktop Site on?
@Benedikt Haller has joined the channel
We have been recently seen this affecting us and wanted to share this - https://support.microsoft.com/en-gb/office/phone-numbers-that-include-special-character[…]ne-dialer-on-ios-15-4-843c0015-da9d-4fd1-92e3-d08049e38fae. It seems this is fixed in iOS 15.5 and that should work there from our tests.
Wondering whether others experienced this issue with shared iPad, where the 'max cached users' setting doesn't seem to be respected. I.e. the max cached users was set to 10 and when user 11 signs in the first user who signed in won't be purged/signed out. We experienced this behavior with 2 MDM's.
*Thread Reply:* @Todd Cole anything you’ve come across?
*Thread Reply:* I find the updated deployment guide to be quite helpful; https://support.apple.com/guide/mdm/prepare-shared-ipad-mdm71124b400/web - with some interesting details in the referenced MDM spec. https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/shareddeviceconfiguration. Some noteworthy comments:
> Apply this setting before users log in to the device.
> If you upgraded the device to iOS 13.4 or later, perform an erase of all content and settings before applying this setting.
> Provide either the QuotaSize or ResidentUsers. If you provide both values, the MDM server uses QuotaSize.
What MDM’s are you seeing this with? Some vendors may have quirks in their implementation.
*Thread Reply:* Hi Thomas, the devices are running 15.5 at least. We noticed this on MobileIron Core and Intune. Within MobileIron and Intune this value is set in the enrollment profile which applies before any user signis in. MobileIron applies Resident user , indirectly I noticed that Intune does the same, Although it is not documented that obvious as at MobileIron.
*Thread Reply:* Aloha! Can you confirm that no user QuotaSize is set in the test setup?
*Thread Reply:* I am almost sure (checked) you can only set max resident user, no quota size within Intune and MobileIron, but please tell me if you experienced otherwise.
*Thread Reply:* Fwiw, the setting isn't Max in the API; it's just ‘residentUsers’ which is the expected number.
*Thread Reply:* Do the local cached accounts use all of their allotted quota in your test? And do you actually see all 11 accounts as recent accounts on the login screen?
*Thread Reply:* @Woody Sorry I have been on paternity leave and not on slack for a month! There is a video that gets into this a bit from WWDC this year (I believe it is the device management video) but the basic concept is either the OS balances the available space based on users (say 10 and it assigns the space available per) or space per user (separate option) when both are defined it get tricky. I would verify that the MDM is not defining both but only one or the other control.
We have developers that need to access internal backend resources for their web and native apps test for both iOS and Android. How have you solved this? For Web we rprobably could use MSFT Tunnel, but we're not sure on per-app VPN since the apps resides from TestFlight/Android Firebase or sometimes sideloading. Can Microsoft Tunnel do full device VPN on iOS as well as Android?
*Thread Reply:* Yes, device wide VPN is supported on iOS as well as Android devices, but you need to enable it manually in Defender app
*Thread Reply:* If you’re referring to Platform SSO, that is macOS only.
*Thread Reply:* Platform Single sign-on (SSO) for macOS SSO extensions allow a user to enter their credentials once, so that subsequent apps and websites don’t require the user to repeatedly reauthenticate. But historically, SSO extensions worked only after a user logged in with their local credentials to macOS. Platform SSO allows developers to build SSO extensions that extend to the macOS login window, allowing users to use an Identity Provider (IdP) password to unlock their Mac. The local account password is automatically kept in sync, so the cloud password and local passwords match. Users can also unlock their Mac with Touch ID and Apple Watch. There are two supported authentication methods: • Authentication with a Secure Enclave-backed key: With this method, a user who logs in to their Mac can use a Secure Enclave-backed key to authenticate with the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process. • Password authentication: With this method, a user authenticates with a local password or an IdP password. Requirements Platform SSO requires the following: • macOS 13 or later • An SSO extension payload that includes support for Platform SSO • Support from the IdP for the Platform SSO authentication protocol • A supported mobile device management (MDM) solution ◦ Note: If the Mac is unenrolled from the MDM solution, it is also unregistered from the IdP.
I hope I can deactivate developer mode on MDM devices
*Thread Reply:* I’d argue you already could - disable profile installation, disable trusting external developers, maybe disable USB data access…
*Thread Reply:* Also if you are in the Beta/Seed program file feedback asking for MDM capabilities you think are needed.
Hi, anyone is experiencing issues with Intune / iOS 15.5 and DEP devices since a few days? we can't stage iOS devices anymore - the iPads get stuck in Intune single-app mode although they are flagged as compliant and authentication succeeds https://www.reddit.com/r/Intune/comments/v6ol52/ios_devices_that_are_currently_under_an_abmdep/
Cause identified : the Single app mode option (DEP profile Intune) does not work anymore with the current Intune + Company Portal app + iOS 15.5. Workaround: create a new DEP default profile without single app mode and assign it to new devices Switching off the option in the current default profile doesn't help unfortunately...
Thanks for the update @Alex Chappuis. That's interesting to say the least.
Hello,
Curious to know if there are any recommendation for instructor led courses on the management capabilities when managing iOS devices? There appears to be many self-service courses but not having luck finding some that are instructor led.
The goal is to learn what management features are available when managing iOS devices that we may not know about.
Thank you!
*Thread Reply:* Aloha Pierre! I would concur, there might be room for somebody to offer that, but I haven’t seen many. Def not on a global level, local experts (e.g. in Apple Consultant Network or with local AAER) may offer options. Some MDM vendors have decent training - Jamf, VMware come to mind - that might serve your needs. Combined with the new self-paced training at https://training.apple.com/it you could get quite far.
*Thread Reply:* Good recommendations, @Thomas B.!
*Thread Reply:* Thnx! I forgot one important suggestion - to connect with a friendly Apple SE in your region. These teams aren’t huge so they may get busy but will have great pointers for you, as wel as invites to (virtual) Tech Camps with the latest content and connections to the wider Apple org (think Apple Professional Services, Consulting Engineers etc.)
*Thread Reply:* You may also want to join the AppleSeed channels in the
Has anyone tested the new restriction in iOS 15 called « require managed pasteboard » ? Our Apple rep told us that it will block screen capture in managed apps but I just tested it and it doesn't work. Anyone have any luck with that? Thanks
*Thread Reply:* First I've heard that this should prevent screenshots or screen recordings. We are testing it currently for copy & paste restrictions (we don't apply the allowScreenShot key). It does not yet work with Managed Domains in Safari (can't paste from a managed app into any website in Safari, even if it is part of the ManagedDomains list), but that's supposed to be fixed in iOS 16. Another bug is that it prevents pasting a signature from a managed mail account into the signature settings - I should probably open a feedback for this.
*Thread Reply:* And the workaround, as always, is to take a screenshot and then copy the text from the image. Works quite well 😉 But I guess this is what you are trying to prevent.
*Thread Reply:* Managed pasteboard does not do anything against screenshots. It disallow copy/paste of text from managed apps. It works, but not for Safari managed domains.
*Thread Reply:* Thanks for the feedback guys - I was sceptical at best 😉
*Thread Reply:* If you would like to pile on: FB10768591 - requireManagedPasteboard blocks pasting mail signature into managed mail signature setting
*Thread Reply:* There is of course the classic restriction to block all screenshots. Although in this day and age one has to wonder - if the employee is intent on exfil of data, they can use a plethora of options including their trusty Xerox machine. Isn’t that more of an HR problem?
@Cristino Junior has joined the channel
I don't think this is possible (yet) but is it possible to define a default web browser (Edge for example) for the native iOS mail client using an MDM payload and disallow user from modifying it on the device ? We are currently doing it via Outlook for iOS whereby Edge is forced as default browser via an Intune MAM config policy.
*Thread Reply:* To my understanding, Apple has yet to make available the option for 3rd party MDM vendors to grant admins the ability to set the default browser on a managed iOS device.
Though I have yet to venture into the world of Intune MAMD config, good to know about Outlook + Edge.
Has anyone found a way to re-push deleted system apps (Apple Mail) via VPP instead of allowing the user access to iCloud/App Store and re-installing it?
*Thread Reply:* Been trying to figure that one out myself. I learned the Mail app cannot be managed using VPP as it cannot leverage the InstallAsManaged key.
This due to the intention of the email account is expected to be managed and not the app when managing an iOS device.
*Thread Reply:* @Pierre Michaud that makes sense. Suppose the only way to prevent this on company assets is to prevent the deletion of apps as a whole (iOS Restriction)
*Thread Reply:* @Pierre Michaud I believe I saw an MDM feature that would re-push all system apps. I’ll have to check but it may have been MobileIron Cloud/Ivanti Neurons.
*Thread Reply:* @Woody Please keep me posted!
*Thread Reply:* What?!!? Such a thing exists? Had a chance to try it?
*Thread Reply:* @Pierre Michaud Apparently! I have not had a chance. Will try it when i have a chance.
*Thread Reply:* Thanks for confirming! Look like I will have to put in an FER with the vendor for my MDM solution :)
*Thread Reply:* Welcome @Pierre Michaud! I was pumped to see it work as well. Can’t believe this has been overlooked by so many vendors.
Has anyone found a way to prevent devices from streaming over cellular as a whole? Obviously there is the auto-join of WiFi, but is there some feature that would actually enforce every app on a supervised device to use WiFi if more than X data was consumed, etc?
*Thread Reply:* @Mathieu Beaugrand I did see that was I was looking around, but it’s similar to specifying allow/deny lists for apps. Would be cleaner if they just supervised these devices and only allowed apps to be installed that they want used. Agree on the cloud-based proxy. My gut says they’d first use Supervision and then if it leans more towards COPE engage a cloud proxy
We have a VIP who keeps getting an incessant pop-up “authorise this device to access photos and videos”. This has happened ever since he connected his device to his laptop. Tried a force restart - nothing works…asked him to connect to iTunes and uncheck some sync options etc in the hope that it might stop but have yet to hear back. Anyone seen this before? Running 15.6.1
Happy iOS 16 day everyone! https://support.apple.com/en-ca/guide/deployment/dep950aed53e/web
@Daniel O’ Riordan-Collin has joined the channel
Trying to remember (it’s been a minute): Migrating from an unmanaged phone to a new device that will go through ABM/DEP: If I opt to restore from an iCloud backup (assuming it is a personal account), would I then be guided into MDM enrollment? What happens to the iCloud account that the restore is initiated from once the startup wizard completes?
*Thread Reply:* Will this help? https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide
*Thread Reply:* Nice @Peter Mohr! Bookmarking that one.
*Thread Reply:* My only question is… the personal iCloud account that was on the device previously… it continues to exist, yet activation lock/etc would no longer be applicable (due to AMB/Supervision). Correct?
Can someone send me the following information ?
• screenvideo for activation of Advanced Data Protection for iCloud • Is the data still available on iCloud.com (and how ) • Will the data be available within privacy.Apple.com • Is this option available for managed Apple ids ? I will pay you 50$ via PayPal if you send me the Infos ….
*Thread Reply:* @iMZ to answer your questions.
1) sorry don’t have a screen recording just yet 2) if enabled, data is NOT available on iCloud.com 3) no the data will not be available as even Apple do not have access to your data. 4) no managed Apple ID’s is not an option.
All answers are in this link - https://support.apple.com/en-us/HT212520
*Thread Reply:* Just going by the doc 🤷♂️:skintone4: haven’t personally tried it yet
*Thread Reply:* When you say wrong, is it wrong or just not working as per their documentation?
*Thread Reply:* You can access data on iCloud.com
Apple transfer the decryptions keys on runtime from the device to display the data within the browser
Is there a possibility to push a single contact into the contacts app using a profile?
*Thread Reply:* What's the use case? Something like a global helpdesk number on all devices? Could be pushed via web clip and deeplink to the phone app so users tap the web clip and it starts the call.
*Thread Reply:* Use case would be to share OTP per SMS with the users for example, obviously after they verified the phone number with us. Not so much for calling, really more for texting information in case user password gets reset, as another example
@Jay I don’t believe so. Closest thing I’ve seen is something like this from @Peter Mohr’s company: http://phonebook.conscia.com/FAQ
*Thread Reply:* Yeah. Ping me if you need help with this. Should be pretty easy though :-)
*Thread Reply:* @Peter Mohr Question about the Corporate Phonebook. I am looking for a solution that I can use to keep a list of contacts that i want to update centrally but my end users can use the contacts in a way that is similar to the native contacts app. Key here is that I need to make sure that the “central office” can specifically control the “company contacts.” The teams already have a company directory (thing big HR managed data, Office 365) but want a tool for the smaller team (think about 70 people) where this regional team’s info is maintained as they rotate throughout the larger company often. I need a way to say ” the person for region a is XXXX” and have the contact info for that be central. Does this make sense and will this app do that?
*Thread Reply:* The app doesn’t do this 😞 I once looked at this company/product suite…
https://cirahub.com/two-way-contact-sync/
Peter
*Thread Reply:* Thank you for the recommendation
@David Arvidsson has joined the channel
Does anyone know if we can disable Apple's Mail Privacy Protection feature remotely ? There is nothing about it in the documentation and I'm afraid it's not possible yet :(
https://developer.apple.com/documentation/devicemanagement/mail
@Steven which feature in specific? Like Hide My Email?
*Thread Reply:* @Woody the feature called "Mail Privacy Protection [which] works by hiding your IP address and loading remote content privately in the background". It pops whenever you first launch the Mail app after deploying an EAS payload for the native Mail client. It can also be found in Settings > Mail > Privacy Protection.
*Thread Reply:* Is this really becoming a thing? And would you really want to do that on BYOD?
*Thread Reply:* It’s been banned in 18 states in state government devices. But not on BYOD. Use MAM to Protect your data.
*Thread Reply:* Not reflecting my own views; let me play devil's advocate: "Don't we ban other malware on BYOD, or at least have the MTD trigger non-compliance?"
*Thread Reply:* It’s a slippery slope to go down. If you’re that concerned IMO, don’t do BYOD.
*Thread Reply:* It really depends on the “data” you want to protect. MAM does not protect you against any of the data TikTok collects, excepts for contacts maybe. If you need to secure for example location data, indeed you might be better off handing out corp phones.
*Thread Reply:* Following this closely as all Government organizations have establish bans on the app now for their company phones . There must be some one who works with them here . Was it just a blacklisted app in W1 as I thought there was limited capabilities in iOS for this.
Hi Friends! Since a while back we get a lot of calls from users who enrolls iOS devices in Workspace One. The apps configured for auto-install (Hub, Outlook, Teams, Authenticator) are shown on the home screen but with a a cloud on the icon. We have seen this before for offloaded apps, or on apps restored from a iCloud backup, but in this case it is new devices just enrolled without any restored backups. Anyone know why?
@Jeff Hernandez has joined the channel
Hey folks do you know if it is possible to migrate devices from one ABM (company A) to another ABM (company B) in some sort of non manual way?
*Thread Reply:* You can either have the vendors who provided all the devices remove them from one and add them to the other. Or you could take all the devices in manually add them through Apple configurator. Depending on how many devices you have to deal with one would be easier than the other, of course. That’s really the only way to do it.
*Thread Reply:* We found out at the end that the apple reseller can just move them from one ABM to another with a stroke of a pen. Thanks.
*Thread Reply:* I think you got lucky with the vendor . One having a single source of purchases and then also having them do the work. Seems like a lot of resellers are batting about 500 on the technical expertise and execution.
Today Klaus Rodewig held a very interesting #webinar ( https://lnkd.in/e47iefMs ) about the APIs of #Apple #iOS/ #macOS / #tvOS and #watchOS. It was a great opportunity to learn more about the usage of these APIs and to learn from an experienced expert. I am sure that both developers and administrators benefited from this webinar and it will help them to successfully implement their projects.
I was able to help Klaus with the "Shared with you" feature by sending him links to my #Podcasts https://lnkd.in/e4NrcgQE and https://lnkd.in/e9EwTCGX via iMessage, where I had the opportunity to give interviews in 2022.
The #Heise Mac&i Pro offer is not only for #developers, but also #administrators can benefit from the presented content and take away valuable information for their work.
Can we supervise the non-ABM device using apple configurator without enrolling into any MDM ...i can see the option to supervise only in apple configurator (dont like to add into ABM or activate & complete the enrollment during supervising the device) but not sure how to enroll into mdm after that so that device can be supervised state into MDM or ABM console.
*Thread Reply:* Not sure about your question. You can for example supervise a device with Apple Configurator instead of having to enroll it in a MDM. The device gets supervised the same way it would via a MDM. You can even deploy profiles and apps via AC. It can replace a whole MDM in some way.
If you just want to use AC to have your device attached to ABM in order to use Automated Device Enrollment feature with a third party MDM, here is the process : • Link your ABM "Organization" to AC • "Prepare" your device via "Manual configuration" and tick "Add to ASM or ABM" • Let AC add the device to ABM • In ABM, move the device from "Apple Configurator" to your current MDM • Check your MDM for specific actions after adding the device (like assigning a DEP profile) • Enroll your device :)
*Thread Reply:* Thank you..we already tried this and able to add into ABM portal with user affinity.
*Thread Reply:* But if we just want to supervise the device without adding into ABM portal..will i be able to enroll it later into any MDM
*Thread Reply:* You need an ABM to get the device supervised. AFAIK it's not possible to do it without ABM. But if it's in ABM you can leave it unassigned so it is not enrolling to any MDM.
*Thread Reply:* Why do you need supervision? it only get you access to a few more profile commands? Maybe the passcode reset?
*Thread Reply:* Yes, you can supervise a device only via Apple Configurator and then manually enroll later into MDM. We have done this with many devices.
Hi folks, anyone know where this is coming from? I’ve seen it the past few months only but disabling certain mobile data options doesn’t make it disappear. Some users click the option to use mobile data by mistake but I’m guessing that there is no MDM option to disable the use of mobile data probably to ensure that devices receive the update one way or another…
*Thread Reply:* It’s an iOS feature controlled by the carrier settings of each iOS build
*Thread Reply:* Oh really? Where did you get that info? 😉
*Thread Reply:* From Apple… we had a private session with them about carrier settings in general 🙂
*Thread Reply:* Nice, I’ll fire off a quick email to our account team to see what they come back with! Any particular reason they have for implementing this other than the one I mentioned?
*Thread Reply:* Weird though, as I see it only on iPad and never on iPhone, same carrier network on the devices... can it be targeted towards certain device types
*Thread Reply:* Carrier Settings is per device model. Each model has their own so iPhone 8 can be different from iPhone X etc. you can download the ipsw files for each model and check the settings for each carrier if you care to :-)
*Thread Reply:* Hi Peter, can you please explain how I can check those settings on an IPSW file? I tried looking into its files but couldn’t find any carrier-related setting.
*Thread Reply:* On more recent iOS versions (15.4 or later) , the old carrier size limit for OS updates on cellular in the carrier configuration is no longer applied.
*Thread Reply:* @Amine the carrier bundle extraction flow looks something like this:
1) Download .ipsw 2) Rename to .zip 3) Unpack 4) Find largest .dmg inside folder 5) Mount .dmg 6) Look into /System/Library/Carrier Bundles/ folder in the mounted volume 7) TDC DK is called: TDC_dk.bundle (Find your own carrier… 🙂 ) 8) Copy .bundle. Rename to .zip Unpack…
*Thread Reply:* @Thomas B. this is still a carrier setting under carrier control but you’re correct that carrier setting are no longer send to device “out-of-band”. Now they are only pushed as part of iOS updates
*Thread Reply:* The values no longer have the effect they had - some customers have been surprised by the change… It makes sense though, the ability so set the limits that made sense in 2007 for iPhone doesn’t really apply anymore in 2023 where data is abundant.
*Thread Reply:* The limits are STILL in effect if the telco choose to have it so. TDC in Denmark still limits the downloads and the OS updates on cellular. The other carriers in DK have removed their limits…
*Thread Reply:* Thanks for that detail! I had only heard from 1 carrier in the US so far still enforcing any limit, but I’ll take your local expertise. The challenging part for me is that most carrier employees won’t have knowledge of this mechanism nor their setting, so for me, the changes with 15.4 have been a great help.
@Rob Knight has joined the channel
any blog about the new features of Apple User Enrollment with iOS17.X ?. please share the link details.
So random question for you all, what is the best way to allow staff to free up storage on a device once it starts to fill up? Every now and again I get a request saying the storage is low and we just remotely remove and reinstall the apps (yes our techs could manually do this but they seem to struggle with it) so curious what other options people use?
*Thread Reply:* Are these personally enable (i.e. COPE) devices? In that case i’d probably direct the user to https://support.apple.com/HT201656 and start there to figure out where the space is used.
Is there an MdM out there with watchOS management (beta) ?
Hi folks,
Anyone here seeing issues with iOS devices not communicating updated information with MDM? In particular, the OS version? Our helpdesk has received quite a few cases recently because our compliance policy is sending out mails to tell users to update their iOS but it’s already updated on the device. There are also quite a few commands waiting under the troubleshooting section - rebooted device, changed network, reset network settings but still nothing…this reminds of the issue with the empty samples for certificates not sent to MDM (in our case WS1) which then revoked the cert…
I can also see a “not verified” message in red on the MDM profile…
Is there a way via an MDM to prevent Safari from storing passwords?
*Thread Reply:* Yes there is a password autofill restriction: https://support.apple.com/en-euro/guide/deployment/dep0f7dd3d8/web
*Thread Reply:* For those interested to try, Mosyle has this in their beta feature set now that you can easily opt-in to. Makes for a fun test.
Our CISO has some issues with deploying user certificates to iOS devices because of the possibility that someone who would have access to the phone could export the certificate and use it. Our phones are passcode protected anyway, but let’s say someone would have physical access to the phone, could they export the user certificates which have been deployed via MDM? Is there a technical way or will Apple prevent that anyway?
*Thread Reply:* Only Apple apps/processes have access to the keychain where the certs are store. So no!
*Thread Reply:* Gotcha. Except „Jailbreaking“ or using OS vulnerabilities
*Thread Reply:* true, but then you can never trust your devices and shouldn’t use them for anything 🙂
*Thread Reply:* This might be helpful info on how keychain works: https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/1/web/1
*Thread Reply:* The larger Data protection section is also very informative on how all the crypto works.
*Thread Reply:* You could look into ACME and Managed Device Attestation with Secure Enclave backed certificates - those are the ultimate answer for this type of concern.
Classic MDM deployed certificates can be included in the backup, so blocking backup (and data access via USB in general) would be one measure to consider as an intermediate step.
I’d also be interested to understand the risk perspecive - even if the CISO threat model includes an employee that is actively subverting security controls, I don’t believe technical controls would be the appropriate answer necessarily…
Does anyone know what the Bundle ID for the iOS Captive Portal is?
*Thread Reply:* Isn’t that just a Safari webview?
*Thread Reply:* That’s was my thought. However, unlike other Safari webview and WebKit prompts, when I pull up the Captive Portal I don’t see an entry in my console logging like this:
FilterControlExtension Flow seen with Remote Endpoint 13.107.21.200:443, protocol: 6, AppID: .com.apple.mobilesafari, AppVersion 16.6, URL: https://www.bing.com/, Result: Blocked
We have a plug-in Content Filter that can allow or block traffic to apps and websites. Pretty much any app bundle ID appears in the logging. Seeming all but the Captive Portal.
*Thread Reply:* Com.apple.captive and com.apple.WebKit.WebContent.CaptivePortal show up in my searches
*Thread Reply:* I think I’ve got this solved. Our logging was not picking up NEFilterBrowserFlow traffic. A little tweak to that and we get: com.apple.Websheet
So, for anyone encountering something like this com.Apple.Websheet is the App ID the Captive Portal is using.
Does anyone know if you can assign Azure federation with ABM for multiple Azure domains? E.g. we want to add our test tenant and domain for shared iPad managed Apple IDs
*Thread Reply:* Thanks Almar must have overlooked that. But looks like the answer is no as we have two seperate tenants
Anyone here seen an issue whereby under General/About/Network there is a message « Phone not allowed » ? The issue we are seeing is that the network connectivity is fine for a few mins/hours and then it throws this message. Multiple SIM cards tested - same issue. Apple contacted and device is not reported as stolen/lost/blacklisted. We tried the usual - erase content and settings etc…strange one!
Anybody else use Global Protect on iOS devices with a per app vpn configuration? If so have you noticed any issues with the time it takes to complete HIP checks?
Just very recently all of a sudden GP seems to take forever to complete it's HIP checks before it allows traffic through. Users open in-house dev'd app, app tries to go to IDP for login but it can take 2-3 minutes before GP allows the traffic through.
Never has been an issue until last week. But networking is telling me the speed of completing the HIP checks is just based on the processing power of the device it's on. But if the same devices worked fine for the last year up until just last week I'm not sure how that means the devices are the root cause.
Hi folks, anyone aware of what this means? I can’t really find any other info on this. Thanks https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/GettingReadyForAppleReleases/GUID-GettingReadyforAppleReleases2023.html
Looks like Apple found new Zero day V with older ios version and requesting customer to update to v16.6.1
And apple ios Version 17 is also coming in 2 weeks
How you guys enforcing iOS updates to ios users who are using unsupervised devices ...with intune MDM. Except enforcing compliance policy and push notification or emil..
*Thread Reply:* For unsupervised devices there is not much you can do except mark those non-compliant and block email, etc if these Intune enrolled. Otherwise enforce the iOS version using the MAM application protection policy.
Is there any other way to enforce updates to unsupervised devices via intune mdm
Are they enrolled in intune? Or just using app protection policies?
Its enrolled into intune as Company owned device using Company portal app
If it’s not supervised then all you can do is enforce compliance policies really.
And don't forget the conditional launch for app protection policies - you can specify minimum os version.
*Thread Reply:* I tend to always disable Compromised Protection no matter what. It's the same story for each major iOS release 😐
*Thread Reply:* You mean turn it off temporarily until VMware release the fix or off altogether ?
*Thread Reply:* Off all the time !
*Thread Reply:* You can use Compliance Policies instead. Same detection of compromised devices, but you decide what are the actions instead of a default "device wipe" from Compromised Protection setting.
*Thread Reply:* Yep, i just checked and this is actually what we do (use a compliance policy and disable this setting)
@Jorge Bayán has joined the channel
@Josh Schofield has joined the channel
Hi everyone, is anyone using Citrix SSO (Citrix Secure access) for per-app-vpn functionality on Apple iOS Devices? Since iOS 17.1 and/or app update 23.11.1 (738) we are noticing that the app is listed in the battery overview with 47% background activity even on unused devices. My test device is showing 2h 36min background activity for the Citrix app where “Screen off” time is 2h 39min. Anyone else noticing battery draining on iOS 17.1 and/or Citrix SSO app?
*Thread Reply:* We had a similar issue with the VMware tunnel app for iOS which got stuck on the DTLS channel when the merge between TCP/UDP channels failed. The client was not intelligent enough to recognize and terminate the session thus became stuck in a loop consuming battery power in the process. It might be something similar with your Citrix client ?
*Thread Reply:* Interesting. Thanks for your reply! Had a look into the client logs and it seems to listen to any system broadcast where the device is stating “awake”. However, I’m 100% sure that the device has been on my desk during the night 😄
And, in regards to your path:
"DTLS Mux setup timed out. No response from NSG?
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control channel creation successful.
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: controlChannel Fd 11 and stream <NSGIoStream: 0x1032a61e0>
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control Channel stream is <NSGIoStream: 0x1032a61e0>
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Creating DTLS MUX
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: Control connection setup successful. GW: <PUB-IP>
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: NSGTunnelParameters - Updating tunnel status from 3 to 3
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: [C261 <PUB-IP>:443 udp, tls, attribution: developer, path satisfied (Path is satisfied), viable, interface: en0[802.11], scoped, ipv4, dns, uses wifi] transition to preparing
[Nov 2, 2023 at 11:20:49 PM GMT+1] <Debug>: [C254 <PUB-IP>:443 udp, tls, attribution: developer, path satisfied (Path is satisfied), viable, interface: en0[802.11], scoped, ipv4, dns, uses wifi] transition to preparing
[Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: DTLS Mux setup timed out. No response from NSG?
[Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: setting Control channel <NSGIoStream: 0x1032a61e0> read handler
[Nov 2, 2023 at 11:20:50 PM GMT+1] <Debug>: [C261 <PUB-IP>:443 udp, tls, attribution: developer] cancelled
[Nov 2, 2023 at 11:20:52 PM GMT+1] <Debug>: Device going to sleep, tunnel status 3.
[Nov 2, 2023 at 11:20:52 PM GMT+1] <Debug>: No current connections
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Device wake up from sleep, tunnel status is 3.
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: No current connections
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: PacketTunnelProvider: (0) Re-establishing control channel because of a system wake event. (networkIsDown: 0)
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Error>: checkConnectivity - connect result = -1 (errno=36)
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Connectivity check. select() call return value = 1
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: Trying to re-establish control channel.
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: NSGControlChannel - Appending HTTP headers
[Nov 2, 2023 at 11:23:49 PM GMT+1] <Debug>: NSG control Channel Request: [HTTP REQUEST ...]
Hey Gang -- Anyone noticing devices added via Configurator are listed in the ABM/ASM Assignment History, but aren't actually shown as a device that you can find?
*Thread Reply:* This was happening to me today too. But it finally resolved itself.
*Thread Reply:* Yeah -- I left a device in the system overnight and it worked itself out. Sort of frustrating, but at least it self-resolved.
*Thread Reply:* Happened to me yesterday too. After a couple of hours, the device showed up in ABM
General Apple question - I am right in assuming that there is no way to connect to Wi-Fi via QR code etc during device privisioning (ABM/DEP) like there is with Android? I’m pretty sure I know the answer but just wanted to be certain I’m not missing a trick
Just a quick heads up for everyone! I’d advise you all to check your iOS fleet as we’ve lost mgmt on approx 3000 devices out of 60,000 ! Symptoms: devices are no longer communicating with our MDM provider (WS1 in our case). After exhaustive troubleshooting, multiple sysdiagnose and many months of back and forth between us and also VMware and Apple engineering, it seems that there are multiple issues on both the APNS side (notifications dropped/lost) and also the device side whereby connections to the MDM are being refused by iOS due to an SSL pinning issue related to non-trust of GoDaddy root/intermediate certs. Keep me posted as I’d be interested in everyone’s feedback here.
*Thread Reply:* wow @Damian not good! Keep us posted if you can
*Thread Reply:* Sounds like the godaddy certs just need to be added into ssl pinning in the console
*Thread Reply:* Well, those certs are present in the Apple native cert store so I don’t see why iOS is complaining. What would putting them in the ssl pinning section of the console help in any way?
*Thread Reply:* Has nothing to do with the device itself. In the ws1 console you have pinning setup with the full chain and it tells the client device who the issuers are. The client is being told who the exact certificates are and to not trust anything else
*Thread Reply:* So if you have a pinning issue it is most likely the pinning configuration
*Thread Reply:* APNs doesn't use WS1 cert pinning though.
*Thread Reply:* The MDM Push certificate portal is managed by Apple. If they're not trusting the MDM commands from a service that's using their own certificate for APNs, that's really bad.
*Thread Reply:* We also see that an (increasing?) number of devices are no longer reporting their iOS version or installing profiles. Did anyone identify a solution for devices no longer communicating via the MDM protocol that does not involve a device wipe and re-enrollment? (WS1 MDM)
*Thread Reply:* We have been on a bridge every 2 days with Apple/VMware since a month and they have yet to pin point the issue or issues.
According to the APNS team, the device is seen as offline as the device token is no longer active from the « topic » that is created to process the notifications. The reason behind this is apparently due to a malformation of the request sent by UEM that the APNs refuses…so for now VMware and Apple are battling it out!
Another issue is that post reboot, the device is supposed to (as per design) checkin to the MDM but this is not happening either.
*Thread Reply:* Here are the associated logs:
Registration of the topic:
2023-12-07 13:19:46.021805 0100 0x892 Default 0x0 134 apsd: (apsd) [com.apple.apsd:connectionServer] Creating server: with connectionPortName: com.apple.aps.managedconfiguration.mdmdpush-prod user:
Errors:
Line 1303: 2023/12/07 12:50:28.753 DE02PCN1549GA1 11901f8f-4e80-4dbd-a5a6-ca922631a8f6 [
Line 1306: 2023/12/07 12:50:28.753 DE02PCN1549GA1 11901f8f-4e80-4dbd-a5a6-ca922631a8f6 [
*Thread Reply:* Thanks, that sounds like it could be fixed by VMware at least. Can you share the Apple and VMware ticket numbers?
*Thread Reply:* It’s a strange one as it’s only 3000 devices (5% of our fleet) that is affected. I’m wondering how these packets become malformed…
*Thread Reply:* We have our own individual incidents raised on each side but there is a collaborative incident between Apple and VMware regarding this. I’ll fish it out and send across in a bit.
*Thread Reply:* This is a difficult one, @Damian I am curious to hear the resolution.
*Thread Reply:* Hello and Happy New Year folks.
Ok. So basically Apple rolled out a fix in 17.1 to address the cert chain issue that prevented the devices from checking in to UEM.
https://support.apple.com/en-gb/HT213892
This helped to solve 1/4 devices according to our tests but most never recovered. Apple then told us that the device token issued by the MDM was changed by iOS. I asked why and when that happens but was told it’s proprietary information related to the security of the device. Typical…so for these remaining impacted devices, what happened was that the packet sent by UEM to the APNS never reached the device because the token on the device side didn’t match the one on APNS. It seems that at some point when the first issue related to the certs was present that the device token changed and was unable to inform UEM. This then meant that the device was unable to recover and became stuck in a limbo state. A small number recovered which means that their device token didn’t change and thus when they upgraded to 17.1 the MDM accepted the connection. This is what I find strange that in all the months when many of these devices were cut off from MDM that their device token didn’t change??? Again Apple won’t tell us…so I smell bullshit…so basically we need to reenrol 3000 devices to solve the issue hoping it doesn’t happen again…again no guarantee from Apple…
*Thread Reply:* If it lost the apns certificate that tracks
*Thread Reply:* It’s not the APNS cert but the device token that is used by APNS to identify it
*Thread Reply:* Yep insane…not even a guarantee that the issue could rear its ugly head again and even why this token changed for a certain number of devices and not for others which were all offline with the same issue…
*Thread Reply:* Ok, so after insisting that they stop taking the piss re their proprietary info argument, Apple has theorised that the device token change happened during the 1st issue with the certificate chain when the device was offline because the security posture of iOS changed - they are guessing that it was due to an invalid MDM installation found but cannot be sure as they didn’t have the logs at the exact time it was changed. You couldn’t make this shit up!
*Thread Reply:* So, cue reenrollment for approx 1000 devices…
Word out is that 17.2 is a mess and causing lots of issues with contact sync crashing apps. Anyone seeing this? We already have a few incidents raised since the release…
*Thread Reply:* 40,000 iOS devices are upgraded to 17.2 now….
*Thread Reply:* It seems to only be impacting users with a lot of contacts…
*Thread Reply:* like how many? I have 2000 contacts and no issues so far
*Thread Reply:* It’s a lot more than that apparently - some VIP users have 20,000 - yeah I know it’s ridiculous but you know how it is…will keep you posted if anything else happens but I just had 2 apps crash on me - intelligent Hub and Planner and I haven’t seen crashes in a long time…
*Thread Reply:* https://discussions.apple.com/thread/255340169
*Thread Reply:* Our CEO has just been impacted and I believe he doesn’t have that many contacts, just a few hundred. We’ve just gone ahead and communicated internally on this and opened a critical case with Apple. Strange that no one here is reporting this…
*Thread Reply:* Interesting. I had a ticket open for a customer for 6 months with Apple for a high data usage issue related to Contacts (iOS was using GBs of data toward gmdf.apple.com as soon as the Contacts list had few thousands entries). They fixed it with 17.2, but it seems they broke something else…
Apple School Manager and password Policy Is it possible to differentiate automatically password policy assignments on Managed Apple ID (Federated Azure users), meaning users with specific domain will automatically be assigned password policy with 6 digit and another domain with default 8 char (number and letters)? Or differentiate assignment on specific user attribute value? Thanks in advance, Daniel
Need your advise about Apple "New -> Account-Driven 'Device' Enrollment flow" , have you tried this or already implemented this ?. if yes this enrollment can convert a standalone device in to Supervised Device after activation ?. #ios_general #apple
The device will not be supervised if I remember correctly
*Thread Reply:* It is really strange, I don't think it can be supervised like this as you have to go to settings to enroll with account-driven enrollment
*Thread Reply:* I wonder if it might me different for Mac and iOS devices
*Thread Reply:* sure, but how to clarify ?. anyone already testing the ADDE ?. if so can share the view ?.
*Thread Reply:* Actually it seems that there are still some limitations with ADDE for example you can’t see or managed the apps in the user side
*Thread Reply:* But you also get full access rights on the device
*Thread Reply:* If I remember correctly you also get the same limitations as UE, you cannot ask for management of an already installed application, so users will have to remove the app and the MDM can then prompt for installation, and if you remove the ADDE account the device is not enrolled anymore
*Thread Reply:* Any idea what mdm support it? I cannot find doc for Ivanti, Intune and WSO
*Thread Reply:* we need to know deeper about ADDE possibilities and cons... ! trying to get , let me share some update once i get some information...
*Thread Reply:* we don’t support it, but I should be able to easily test this with our own MDM
*Thread Reply:* please do share when you know the results.
*Thread Reply:* With iOS, ADDE does not result in Supervised devices, similar to Profile based device enrolment would do. With macOS is does, with the noted exceptions. This was documented in pretty good detail in the release notes PDF available through AppleSeed beta testing program IIRC.
*Thread Reply:* Found it in here; https://appleseeddownload.apple.com/appleseed_for_it/asit2023/Whats_New_WWDC_2023_v1_2.pdf
*Thread Reply:* It’s now also in the Deployment guide - https://support.apple.com/en-gb/guide/deployment/depd1c27dfe6/1/web/1.0#depfd2eb8980
*Thread Reply:* thanks for your sharing and updates... ! i will read those documentation.
*Thread Reply:* Same has been clarified by apple in a forum https://developer.apple.com/forums/thread/735541 comments "On iOS device the only way to get supervision is to use Automated Device Enrollment or Apple Configurator. The supervised state via ADDE comes only on macOS. — Systems Engineer months ago"
*Thread Reply:* Answers found and we can close this topic.
Just noticed this this morning, the new Stolen Device Protection feature will prevent MDM profile installation on iOS device
users will have to disable Stolen Device Protection, enroll and enable the feature again 😭
I guess it was put in place because you must enter your passcode to install an MDM profile and as only biometrics is possible outside trusted areas when this feature is enabled…still work could be considered a trusted place and most people enroll at work or remotely from their home office 🤔
actually the message is: Stolen Device Protection is active. To install this kind of profile, temporarily disable Stolen Device Protection in Settings and try again.
does not seems to allow for any “trusted place” exception
Can’t hurt to file feedback if this is creating friction for you; although I suppose many will be using Automated device enrolment which would enrol prior to SDP becoming active.
Yes, it’s just for BYOD use case this will add another friction
@Robert Schafer has joined the channel
Hi team,
Issue: Unable to connect iOS devices to the Xcode tool on a Mac. In general, when we connect an iOS device to a Mac, we receive a prompt on the iOS device screen to Trust this device, but after enrolling the device (fully managed), we do not receive this prompt. Posted in the Apple Forum, I haven't received any response.. https://developer.apple.com/forums/thread/744580
Please can someone check and advise?
*Thread Reply:* There should be an “Allow host pairing” option in your MDM, once enable that should sort the problem out.
Hi folks, anyone know if previewing a website would constitute opening a malicious link as we’ve seen it to be the case. Our security team ran a phishing exercise and a few users did this thinking it wouldn’t trigger an alert/! I didn’t find any MDM restriction that would allow us to block this…
*Thread Reply:* yes, the device actually opens the link and then renders the preview... To the phising/pen-test team this looks like a user clicked the link
*Thread Reply:* Yes, this is what I thought 🙂
NOTE: Stolen Device Protection blocks MDM enrollment and must be disabled prior to enrolling. If it is enabled during enrollment you will need to disable it but the device will go through an hour long countdown for it to disable and for enrollment to continue
If anyone is interested, the following MDM restriction has been documented in 17.4 beta 2 to disallow third party AppStore installation
https://developer.apple.com/documentation/devicemanagement/restrictions
*Thread Reply:* Looks like it doesn’t require supervision. Am I reading that right?
*Thread Reply:* Confirmed by Apple - all iOS restrictions for third-party AppStores will require supervision (which is what I expected)
*Thread Reply:* When we can try this restriction profile in our MDM/Apple configurator ?. for NON-Supervised devices we dont have any option to restrict the 3rd party Appstores ?.
*Thread Reply:* Hiding/Blocking those Marketplace App or Bundle id can help for NON-Supervised devices(managed devices) ?.
*Thread Reply:* another nice article i found to block the market place , very nicely written by an MVP : https://www.intuneirl.com/alternative-app-stores-not-on-my-supervised-devices/
Are there folks here using Apple's shared iPad solution (requires managed Apple IDs, etc)? If so, would you mind sharing your experience?
*Thread Reply:* following - as we have a requirement that may warrant this but just haven’t got round to actually playing with it fully yet
*Thread Reply:* We have played with it too, but I'd really like to hear from anyone using it in a production environment. Operationally I think shared iPad adds a ton of overhead.
*Thread Reply:* From what I’ve read I 100% agree and that’s half the reason why I haven’t played with it yet. If it was as simple as Android and doing it with some kind of launcher that overlays on the screen for sign-in/sign-out that would be amazing but it’s the use of managed AppleIDs that I don’t like
*Thread Reply:* Also, it doesn't connect the authentication to the device to extensibleSSO. This would be the game-changer we need if it could/would do that.
*Thread Reply:* We use Temporary Sessions for some use cases. But federating ABM is holding us back….
*Thread Reply:* What about federation is holding you back?
*Thread Reply:* We are federated and it works but it’s behind the Apple school program , I can’t set timeout Lock Screen and it’s 2 minutes. Also would be good to be able to use a different passcode or something like authenticator app. Some apps also do t support the shared mode at all
Party People!! I've got some questions about Managed App Configs and how they can be leveraged to automate app-specific logins / sign-ups. Anyone here a M.A.C. wizard?
anyone seen a management / policy guide for MDM for Vision Pro yet?
*Thread Reply:* If you find GitHub stuff readable, here is a link: https://github.com/apple/device-management/compare/release...seediOS-17.4macOS-14.4
*Thread Reply:* MY MAN thank you @Mark Vonk
*Thread Reply:* holy lord what a terrible day to have eyes
*Thread Reply:* There is also the Apple Platform Deployment Guide section for Vision Pro: https://support.apple.com/en-ca/guide/deployment/dep18daf732d/1/web/1.0
*Thread Reply:* Additionally, JAMF says that Management capabilities are available in Jamf Pro 11.3.1 for Apple Vision Pro devices with visionOS 1.1 . https://learn.jamf.com/en-US/bundle/technical-articles/page/Vision_Pro_Management_with_Jamf_Pro.html .
all I can find from Apple is marketing stuff
has anybody already seen MDM controls in their UEM for disabling alternative app stores for iOS 17.4 users in the EU?
Yes, we do it by installing a custom configuration on devices.
See https://www.intuneirl.com/alternative-app-stores-not-on-my-supervised-devices/ for Intune.
Supported from today by Miradore.
VMware has it also. https://kb.vmware.com/s/article/96740
Microsoft has it on there in-development. https://learn.microsoft.com/en-us/mem/intune/fundamentals/in-development#iosipados
I looked to Microsofts in development earlier today and totally missed it as I was looking for a big header for this change,
For those who haven’t seen the beta notes for 17.5, there will be a separate restriction for apps distributed directly from webpages….
Hi folks, just to let you know that there are a lot of issues with VPN functionality at the moment that will be fixed in iOS 17.5 beta 3 as confirmed by Apple support.
We have to reboot the device each time we push a new profile or sometimes post reboot it can take up to 5 mins for the device to leverage the tunnel.
*Thread Reply:* Hi Damian, are the issues you are seeing in 17.4 or in 17.5 beta?
*Thread Reply:* Currently seeing them on 17.4.1
*Thread Reply:* Don’t hesitate to open a case and bolt on to ours: 102274595372
*Thread Reply:* What would be super, super valueable is to install the latest beta and share feedback into AppleSeed to confirm the fix - sometimes there are multiple issues at play and if the fix isn’t effective for you, sharing that now is probably your best bet for seeing a fix in 17.5.
*Thread Reply:* The issue still isn’t fixed in 17.5 beta 3 so I’m going to share that via Appleseed and the ticket
*Thread Reply:* Just to let you know that all the issues were finally fixed in beta 4 and public 17.5.x also ok
please share your expert views about choosing the best solution for BYOD with #Apple #AccountDrivenUserEnrollment (AUE) vs #microsoft_intune WebBased Device Enrollment ! which is the best fit for Users. #apple #microsoft #byod
Someone in here who also has to deal with the iOS Slack app not being available for download in China from 1st of June on?
Hi All, could I ask everyone who has a premium support contract with Apple to put pressure on them to fix the issue with mobileSSO for Apple:
Product request reference provided by VMware:
Description
When a certificate credential is specified in the same MDM profile as an SSO Extension, the SSO Extension code is unable to access the certificate which is stored into the Apple keychain. This request is for supporting being able to access a certificate that is declared in the same MDM profile as the SSO extension from the SSO extension code. The reason for accessing the certificate is to be able to make a client-SSL request to a server using the certificate and the certificate's private key. The built-in Kerberos SSO Extension provided by Apple does this in that a PKINIT certificate can be specified in the MDM profile and then the Kerberos SSO extension can be configured to use that certificate. However, a non-Apple developer cannot implement similar functionality because the certificate declared in the MDM profile is stored into an Apple keychain which is not accessible to non-Apple code.
Steps to reproduce the issue:
One way to provide this support would be to allow a certificate (including a SCEP certificate) that is declared in an MDM profile to be installed into an application-defined keychain security group rather than in the default Apple keychain security group.
*Thread Reply:* The SSO provider developer could use a SFSafariViewController thing to authenticate against the backend. This allows for CBA
*Thread Reply:* It would be interesting if they allowed defining the Bundle ID and App Group that could utilize that certificate through an app keychain. What is the priority of this feature request? Do you know?
How you could work around this is to use an MDM SDK within the eSSO app which consumes the certificate payload via the SDK, then stores that certificate in a shared keychain for your App Group. That's assuming that you're building your own eSSO.
*Thread Reply:* I know that they are working on it but don’t know the priority. Have you opened a case to bolt on to this? The more the merrier. Re: eSSO - we’re not building our own but interesting all the same
@Nesrin Kalender has joined the channel